To protect your privacy: email us with billing or account questions instead of posting here.

How do I protect two-factor authentication and passkey access against infrastructure failures?

Options
Harry9449
Harry9449
Community Member
edited May 7 in Memberships

Security involves not only preventing unauthorized access, but also insuring authorized access.

When I'm just using passwords, I can back up my sites and passwords to a safe place, say an encrypted thumb drive in a safety deposit box. Then, if for some reason I lose my iPhone account, or my 1Password account, or any physical object involved in my security, I can recover access to my websites. My question is that when using two-factor authentication for sites that only provide for one second factor, or when using passkeys eliminating password access, how do I secure myself against catastrophic failures?

It is not clear to me how, in the face of possible catastrophic failure, such as the little man with magnetic feet stepping on an important bit in my 1Password account, how I ensure access when using passkeys. Maybe the security pros think it's clear from the white papers, but I just don't get it.


1Password Version: 8.10.30
Extension Version: Not Provided
OS Version: Win 11 Home 64 bit, 23H2
Browser: Not Provided

Comments

  • Tertius3
    Tertius3
    Community Member
    Options

    @Harry9449 If you use 1Password, your data is stored in encrypted form on the 1Password servers. This is the master copy of your data.
    If you sign in to some device of yours, this data is copied to that device and kept up to date by continuously syncing. Now there are 2 copies of your data. On your device and on the servers. The more devices you use, the more copies of your data exist. A "device" for 1password is every installation of 1Password. The desktop app is one device and holds one copy of your data. The browser extension is an extra app that also holds one copy of your data. The website 1password.com is also an extra app that holds one copy of your data.
    1Password also performs backups of all their data, so copies of your data will also exist in the backups 1Password does internally.

    Your data will be lost in the extremely rare event every single copy of that data is destroyed:

    • every single device and app of yours where you're signed in are lost
    • and 1Password has a catastrophic failure at their live site
    • and all backups 1Password did are destroyed

    I guess it's more likely to be hit by a train than for all this happen together.

    I guess you actually fear that somehow 1Password "isn't working any more". That a passkey login somehow suddenly doesn't work any more. Since you cannot have a readable copy of that passkey, you don't have any ability to try it somewhere else with some other password manager.
    You actually fear you lose control.
    That's probably one of the bigger obstacles of widespread use of passkeys and may be an obstacle for many people of using password managers in the first place.

    However, you have to put your trust into a password manager you use. You have to learn to trust that this password manager will not suddenly stop working. You don't need to trust them to keep your data secret, because they just have encrypted copies of your data and cannot embezzle this, but you need to trust their apps will not stop working. That their apps are reliable. That's why you should carefully choose your password manager.

  • Harry9449
    Harry9449
    Community Member
    Options

    Thanks for your response.

    My distrust is directed at my infrastructure rather than1Password's. I am willing to assume that 1Password is sufficiently secure against data breaches, severe EMPs, etc. However, as a retiree with no offsite devices, it is entirely possible for me to lose all of my devices to a lightning strike on my powerline (this has happened), a fire, tornado, etc. With a copy of my emergency kit in my safety deposit box, I am reasonably hopeful that I can establish a new device with 1Password, which will restore my access to passwords. However, how do I restore passkey access to my websites? Is the assumption that I also have another means of access to establish new passkeys?

  • Tertius3
    Tertius3
    Community Member
    Options

    If you store your passkeys within 1Password, they're cloud synced. It's similar with every password. In case you lose every device and restore access to 1Password with your emergency kit from your deposit box, you also regain access to all the passkeys stored within 1Password.

    Keep in mind you need 2 resp. 3 things to restore access to 1Password: the secret key contained in the emergency kit, the account password, and additionally in case you activated multi factor authentication for 1Password, the QR code to create a new 1Password entry in Google Authenticator or whatever authenticator app you choose.

  • ag_tommy
    Options

    Thanks @Tertius3

    @Harry9449

    I would look at using a 1Password membership to sync any passkeys you might have. Regaining access to your account via account recovery would be the best path forward as Tertius3 describes.