Unintentional lockout involving biometric security

Racer77
Racer77
Community Member
edited February 28 in Unlock with passkeys

I accidentally locked myself out of a test account due to some weird interactions with biometric unlock. I'm not sure if there's anything I could've done differently (besides generating the recovery code sooner, obviously), but I figured it was worth sharing:

  • I have an existing account signed in on my desktop and phone. I'm using the biometric unlock, requiring a password every 2 weeks, and auto-locking after 2 minutes.
  • I create the test account, and save its passkey to my existing account.
  • I sign into the test account on 1password.com using my phone (unrelated, I previously toggled some Chrome flags to get 3rd-party passkeys working), and change the account username before signing out. I had ticked the public computer checkbox, so no secret key was stored in the browser.

At this point I decided to sign back and create the recovery key. In order:

  1. I successfully used the passkey to start the signin, switching the app's account context to my existing account.
  2. The test account reaches the 2 minute inactivity limit and locks. Since this is the first time it has locked, biometric security requires a password (or in this case a passkey).
  3. To authorize the new login, I need to access the test account on my phone. The prompt switches the app account context back to the test account, and requests a sign-in.
  4. For this, I need the passkey from my existing account. But I can't unlock the existing account without first unlocking the new account, which appears to have priority. The app is effectively deadlocked at this point.
  5. I open the request's QR code (for the app login) hoping to use the passkey from my desktop, but I can't find a way to have 1Password scan that code.
  6. Eventually I have to clear all data on the 1Password app and sign back into my existing account.

The test account is permanently locked out now, but I used an email alias and didn't store anything in it anyways. So I had a few questions:

  • Is there a way to switch the account you're logging into in the 1Password app? This scenario only occurs when a "new device authorization" triggers the login; the biometric security didn't cause issues when I switched accounts in-app.
  • Is there any way to scan/handle passkey request QR codes from either the browser extension or desktop app? I wasn't sure if this was part of the current limitations on Linux.

1Password Version: 8.10.26-38.BETA, 8.10.26 (81026011)
Extension Version: 22100002 (Linux)
OS Version: Android 14 (UQ1A.240105.002), Fedora 39 (6.6.14)
Browser: Chrome Beta 122.0.6261.43, Chrome 121.0.6167.139

Comments

  • Hello @Racer77! 👋

    Thank you for helping us test the passkey unlock beta and for providing such a detailed report of your experience. I'm sorry that you ran into issues and the team would like to look into this further. Would you be willing to reproduce the issue one more time and then create a diagnostics report from your Android device? You can find instructions here:

    Sending Diagnostics Reports (Android)

    Attach the diagnostics to an email message addressed to support+forum@1password.com.

    With your email please include:

    Please send the entire file.

    You should receive an automated reply from our BitBot assistant with a Support ID number. Please post that number here. Thanks very much!

    -Dave

  • Racer77
    Racer77
    Community Member

    Hi @Dave_1P, thanks! The support ID is NJK-19878-241.

    The sequence of events was a bit different. This time, I couldn't even complete the first login on the web, as I never received the notification to approve the login. When I opened the app, I was able to access my regular account, but attempting to switch to the test account would also prompt for a non-existent notification.

  • david.m_1P
    edited February 28

    Thanks for sharing the Support ID, @Racer77!

    One of my colleagues will be in touch with you soon. In order to prevent having the same conversation in two different places, I'll close this thread.

    -David

    ref: NJK-19878-241

This discussion has been closed.