"Unlock 1Password with a passkey (beta)" - non-iCloud keys need support!

b36411
b36411
Community Member
edited July 1 in Unlock with passkeys

I've been a 1Password customer for a long, long time. I'm now moving to a passkey based system where I use physical security keys.

I was excited to try out the "Unlock 1Password with a passkey (beta)" (https://support.1password.com/passkeys/). Unfortunately, it looks like:

  • On Mac desktop, the only supported passkey is iCloud keychain. This means storing the passkey in iCloud. If I was going to do this, I would probably opt to store other passwords in iCloud Passwords. But I dislike iCloud for many reasons. I want to use my physical security key, not iCloud. There does not appear to be a way to use my physical security key (yubikey 5, a FIDO2 device)

  • On iOS, the same problem presents itself. I have not deeply investigated, perhaps it's possible to use a Yubikey as the "master" passkey for 1Password here? It looked similar to the Mac setup.

This is a really important issue for me and the company I work for. I am considering leaving 1Password which I would freaking hate to do, but other password managers support this feature. 1Password's support does look much better, e.g. there is no master password created, which is great! I would love to continue using 1Password, I just really need to be able to use a physical hardware key for the passkey and not iCloud.

Edit: After looking at some other posts, it's clear that a hardware passkey is supported, but that you need to use iCloud keychain for your first passkey. My organization is in a regulated industry so using iCloud as an 'in-between' step is definitely less than ideal.

I was able to:

  1. Create a new test account using a passkey stored in iCloud keychain.
  2. Add a new passkey, using my Yubikey (hardware security key)
  3. Delete the iCloud keychain passkey.

So if you have an e.g. Yubikey you'd like to use as your passkey, that's how you do it!

This worked fine. But it'd be nice to be able to skip the step!


1Password Version: 8.10.34
Extension Version: Not Provided
OS Version: 14.5
Browser: Chrome

Comments

  • b36411
    b36411
    Community Member

    Hi Dave, I added a question about storing the passkey in a hardware security key. In my experience with the desktop beta on Mac, it doesn't seem possible to use a hardware security key and iCloud keychain is required:

    https://1password.community/discussion/146465/unlock-1password-with-a-passkey-beta-non-icloud-keys-need-support#latest

  • JonasKrausch
    JonasKrausch
    Community Member

    I saved the passkey for my 1Password Beta-Test Account in my "main"-1Password Account. I never had to use iCloud to store a passkey. I also added a FIDO2 passkey afterwards (did not test if would work without storing a passkey to 1P first)

  • GuustFlater
    GuustFlater
    Community Member

    Confirmed Passkeys are stored in 1Password.

    Question:
    If all trusted devices are lost (Imagine a house fire and all is gone....)

    Going to the Apple Store buy a new iPhone, computer, retrieve the 1 password emergency kit. Will the passkey's stored in 1Password work again?

    I know the 2FA / OTP will work but need confirmation about Passkeys.

  • b36411
    b36411
    Community Member
    edited July 11

    @GuustFlater I believe in this case the new recovery code function is used rather than the emergency kit:

    https://support.1password.com/recovery-codes/

    The emergency kit contains a secret key which is not used with the passkey-login 1Password. Instead what is needed is:

    1) Recovery code
    2) Access to your email associated with the 1Password account

    The recovery code can be safely stored off-site (e.g. a relative's house) because in order to get into your 1Password account, access to your email address is still needed.

  • GuustFlater
    GuustFlater
    Community Member

    Thanks for your reply!
    Its these "details" we need to know so we don't find out when its too late.

    Also from a previous reply from tech support I learned that when you have enabled the recovery code you still can't get inn if you have 2FA enabled or are using a Yubikey...

    Would be nice if someone from 1Password could give us the full scope about the various scenarios.

  • b36411
    b36411
    Community Member

    I think you are referring to the thread here:

    https://1password.community/discussion/comment/713088/#Comment_713088

    In the thread, @ag_tommy says that a recovery code basically replaces the need to know the password and/or secret key. A 2FA method, if required, is still needed to log into the account.

    But this is for the regular 1Password accounts with a password and secret key.

    For 1Password accounts with a passkey as the login method, the situation has to be different. My understanding is that in this case, the recovery code (along with access to the associated email address), is all that is required to get into the account.

    After all, recovery codes were created at first on the passkey-for-login account type, then later moved to the general password-for-login account type.

    • Regular account (password + secret key) + MFA on => recovery code + email access + MFA needed.
    • Regular account (password + secret key) + MFA off => recovery code + email access needed.
    • Passkey login account (passkey only) => recovery code + email access needed.

    This is my understanding. I do not know why 1Password chooses to require the MFA for the regular account (password + secret key + MFA) when using the recovery code. It does not seem necessary.