Exporting passkeys

This discussion was created from comments split from: How do I export and backup my passkeys?.

Comments

  • nicos18
    nicos18
    Community Member

    Hi @Dave_1P,

    any update on the possibility of exporting passkeys?

    Thanks.

  • @nicos18

    I don't have any updates to share at the moment. Can you tell me a little more about why you're looking to export passkeys? As far as I know, exported passkeys can't be imported anywhere or used anywhere. πŸ™‚

    -Dave

  • nicos18
    nicos18
    Community Member

    Hi @Dave_1P,

    I'd like to save and export my passkeys in case something happens to my 1Password account and I have to start from scratch.

    Having a 1Password exported file with the passkeys would be useful.

    Thanks.

  • @nicos18

    Thanks for those details, I've shared them with the team. We’re continuing to work with platform vendors and other password managers through the FIDO Alliance to create a secure, and standardized, way to export and import passkeys.

    Hopefully we'll have more to share in the future. πŸ™‚

    -Dave

    ref: PB-38107156

  • deviantintegral
    deviantintegral
    Community Member

    We've had to keep passkeys disabled at our organization because of portability concerns. While there aren't any tools that can import them yet, I think we'd enable Passkeys if at least they could be exported. Even an encrypted JSON blob would be fine.

    I do worry about our team members creating passkeys on personal accounts, and accidentally locking themselves in to 1Password. It's really a challenging UX given how both 1Password and specific sites are promoting passkeys during login and registration flows.

  • @deviantintegral

    Thank you for sharing that feedback, I've passed it along to the team.

    For the time being, you can create a new passkey for a website any time within another provider and remove any existing passkeys from 1Password. But I do understand the need for a more streamlined export/import option.

    -Dave

    ref: PB-38551106

  • PastaShock
    PastaShock
    Community Member

    Keepass, the open source password manager, will let you export a passkey. But you obviously can't import it anywhere except keepass.

    The fact that the FIDO Alliance came up with passkesy and didn't even think that import and export was a feature needed on day 1 is a HUGE oversight. I've been playing with passkeys, but I don't dare use them until there is a universal export and import format for them. If the FIDO alliance won't come up with one, then it's for the password managers to come up with their own solution together. Maybe adopt what keepass has done.

  • ag_tommy
    edited March 26

    @PastaShock

    We currently don't support passkey export because there isn't a secure way to do so, yet. We don't think exporting passkeys in plain text is a best practice security wise and we won't be introducing that type of export functionality for passkeys.

    We are aware of others using this plain text method, but we'd rather be patient and keep working within FIDO to introduce the passkey import/export standard that is inline with the security passkeys and 1Password brings.

    For now I would recommend Dave's advice.

    Create a new passkey for a website any time within another provider and remove any existing passkeys from 1Password.

  • chrisrom
    chrisrom
    Community Member

    I also recently started switching to passkeys and as I always keep a recent backup of the entire 1Password DB as 1pax file on an encrypted flash drive, I would also like to see passkey export/import functionality within these unencrypted 1pax files. As everything in these files is unencrypted, I don't see the danger of dumping the passkey data into this file as well. Ideally other password managers such as KeePass would at some point use the same standard so that they could also import the passkeys. But I suppose this is up to the FIDO alliance. However, waiting till this has been resolved and not giving the possibility to get the data out and into 1Passoword via a manual backup also doesn't feel right. It would certainly be nice if you could allow this already (maybe call it "1Pax export (passkey preview version)")

  • @chrisrom

    Thank you for reaching out. Exports aren't really designed to be used as a backup since they lack features like versioning, they're just intended to be used to transfer your items to another password manager if you decide to leave 1Password in the future.

    Your 1Password membership already includes automatic backups of your items to your account in the cloud. If you need to restore a previous version of an item because it was accidentally edited or deleted then you can do so from 1Password.com:

    I would also like to see passkey export/import functionality within these unencrypted 1pax files. As everything in these files is unencrypted, I don't see the danger of dumping the passkey data into this file as well.

    Exporting a passkey into plain text would remove the security and anti-phishing benefits of passkeys. It would just turn passkeys into fancy versions of passwords that can be phished and stolen. The inability to export or render a passkey into plain text is part of the security design of passkeys.

    As mentioned earlier in the thread, 1Password is working with partners in the FIDO Alliance to create a standard and secure way to export and import passkeys across various password managers. I don't have any news to share but hopefully we'll hear more in the future. In the meantime, I've let the team know that you're eager to see this functionality be released. πŸ™‚

    -Dave

    ref: PB-39555580

  • chrisrom
    chrisrom
    Community Member
    edited May 3

    Hey @Dave_1P. Thanks for the reply.

    I'm fully aware that exporting a 1pux doesn't allow for versioning and I also very much appreciate the built in backup functionality as well as everything you might have going on in the backend in regards to redundancy and backups. However, I still want (and have) an unencrypted export on an encrypted memory stick in my safe at home and off-site. All the built in backups in the world would not persuade me not to do so. In that respect my brain ticks in the 3-2-1 methodology for backup best practices. Having everything solely in 1Password will hopefully work as long as the world does not drop into anarchy πŸ˜€, but it is still one single point of failure from the user perspective. For me personally, this is also the single reason why I'm not yet jumping all in on passkeys since as a user you loose an aspect of control that you had before when using passwords (and TOTPs). I think that this might also be the problem that many other people see with passkeys. There are forums and posts filled with feedback on bad experiences, when for example Apple Keychain thinks it wants to purge stored passkeys out of no reason (see this very interesting post https://fy.blackhats.net.au/blog/2024-04-26-passkeys-a-shattered-dream/). If you had a secure backup available you would think "okay... s**t happens... let's restore that key". But currently it is more of "oh cr*p! how can I now log in to this website!??, I also have no backup of that key! AHHHHHhhhhh!" πŸ˜€

    As of this thread https://community.bitwarden.com/t/passkey-portability/59177/15 it seems that bitwarden is capable of exporting and importing back passkeys (and the people there have very similar arguments like me in respect of passkeys and the fact that they currently are a locked away (fragile) blackbox for customers) - so from the technical point of view it is feasible.

    If security is the main aspect. Why don't you allow to export a file that is encrypted or is unencrypted and resides in an encrypted container? But still... if that would be the argument, the same can also be applied to the unencrypted export of all credentials in the existing file formats. If you loose that file, you're screwed πŸ˜€. The same would obviously apply to the export of passkeys as well, but the increased security they provide would still fully apply. The way how users handle their data exports from my point of view has to be viewed completely orthogonal to the way how they use their data in 1Password.

  • We are aware of other vendors using a plain text method. We're going to keep working within FIDO to introduce the passkey import/export standard that is inline with the security passkeys and 1Password brings.

    Thank you for the feedback. I'll get it shared with the team.

  • chrisrom
    chrisrom
    Community Member

    Can you guesstimate a timeframe when such a feature could find the way into 1Password? Is it still in super early discussion or are the plans already laid out?

  • @chrisrom

    The team is currently working with our partners in the FIDO Alliance to create a secure way to export and import passkeys but I don't have any timeframes to share at the moment.

    -Dave