Passkey and 1Password

lodaka
lodaka
Community Member
edited February 8 in 1Password in the Browser

I noticed that you can only have ONE passkey at a time in 1Password. Why is this?

The reason why I ask is... due to Google's strange implementation of passkeys, Google treats both passkey and 2FA "security key", as "passkey". So, for instance, if I register a "passkey" in Google using 1Password, and then immediately use 1Password to register a "security key" in 2FA settings, 1Password replaces the first "passkey" entry with the "security key" entry (but still calling it "passkey"). This appears to be by design but wasn't sure why it works like this. Thanks.


1Password Version: Not Provided
Extension Version: Not Provided
OS Version: Not Provided
Browser: Not Provided

Comments

  • Hello @lodaka! 👋

    Thanks for the question! You can only save one passkey per Login item in 1Password. Once you save a passkey for an account in 1Password, that passkey will be available for sign in on all of your devices.

    Unlike passwords, you can’t create a weak passkey. Passkeys are generated by your device using a public-private key pair, which makes them strong and unique by default. Passkeys can’t be phished like a traditional password because the underlying private key never leaves 1Password – this also makes them resistant to social engineering scams.

    Two-factor authentication, using technologies like hardware security keys, was designed to add an additional layer of protection to passwords against phishing. Passkeys are already resistant to phishing and can be considered to have the same level of security as a password plus two-factor authentication, with a lot less friction. Thus, there's no need to save a security key as another passkey if you're already using a passkey for authentication.

    -Dave

  • lodaka
    lodaka
    Community Member
    edited February 8

    @Dave_1P Thanks and yes, I am aware of this. I suppose this is still part of my trying to understand how passkeys fit into my life. Part of the reason for trying this out in the first place is that Google doesn't seem to agree with you. Haha.

    For instance, if I register a "passkey" with Google, it still thinks that I need a 2FA method. If I register a security key (i.e. a passkey in 1Password) in Google's 2FA, it still prompts me to register a passkey.... while the whole time, both keys would be listed in their "passkey" section. Lol.

    Thank you for the information.

  • @lodaka

    Thanks for the reply. You can save a one-time password to use as a second factor for your Google account instead of saving another passkey: Use 1Password as an authenticator for sites with two-factor authentication

    Alternatively, you can use a hardware security key which would provide you with a true second factor. Hopefully passkey implementations become more standardized as time goes on. 🙂

    -Dave

  • lodaka
    lodaka
    Community Member
    edited February 8

    Great... I don't want to belabour this point too much, but here is one little quirk that I found out during my attempt to understand why Google does this:

    • If I set up a passkey in Google using 1Password, 1Password generates an entry. Perfect.
    • Then I turn on 2FA in Google and then again use 1Password, then 1Password replaces the previous one with another passkey (presumably, this time as a 2FA "security key").
    • Then I go into the "Passkey" section of Google, which shows both keys "1Password" and "1Password 2", and then I remove the first passkey from Google.
    • Then, now Google thinks that I have set up a passkey and a security key for 2FA. For instance, when I log in, I can use either the passkey method OR the password. When I choose the password method, Google asks for a security key as 2FA... and it works then too. How wonderfully peculiar.

    Yes, standardization (and time) might be needed. Thanks.

    EDIT: Part of the reason for doing the above might be... that, even with a passkey, Google still lets you login using a password only. By doing the above, there is no way to login without having a passkey, i.e. the weakest link argument.

  • @lodaka

    Thanks for sharing your experience. Security keys use the same underlying webauthn technology that passkeys do and 1Password can't tell the difference between a security key and a passkey. Personally I would save your actual passkey in 1Password and use a hardware key, or TOTP, for two-factor authentication if needed.

    Part of the reason for doing the above might be... that, even with a passkey, Google still lets you login using a password only. By doing the above, there is no way to login without having a passkey, i.e. the weakest link argument.

    The password option is still available for most services since not everyone has made the jump to passkeys yet and some platforms may not yet support passkeys (such as older devices). In those cases, a password would still be useful for signing in.

    -Dave

This discussion has been closed.