A cool idea on passkey unlock

sj0123
sj0123
Community Member
in Unlock with passkeys

Hello!
While browsing threw 1password community, I noticed that a lot of users are requesting a way to log into 1password with their hardware security keys.
I myself didn't test the passkey feature yet, but I saw the whitepaper and know how passkey works in current system.
If I remember correctly, 1password clients store device keys which encrypts the AUK and even though it support hardware security keys as passkeys, the encryption key isn't stored in the security key, right?
So you need a trusted device in addition to a passkey to login.
For this, I have an idea that would make using passkeys in 1password much simpler and much secure as well.
The basic idea is using openpgp smartcards in place of passkey and the 2fa.
Let me explain this in more detail.
When creating a new account or switching existing account to use passkeys the user would have an option to use hardware smartcards as passkeys.
When the user clicks that button, 1password client will randomly generate the AUK as usual and prompt the user for an openpgp public key file.
This is where things get interesting.
If the user imported or generated a openpgp key pair in hardware smartcards such as yubikey 5 openpgp application, the private key remains in the card and is not exportable while the public key flows freely around the filesystem and internet.
This allows the user to set up their hardware security key without having the security key.
Once the user chooses their public key, 1password client will encrypt the AUK with user's public key and send the encrypted AUK to the 1password server.
From this point, the user is able to unlock and sign in using only security key and security key pin. No master password and secret key required.
It can even replace 2FA since the security key is usually pin protected.
Even this isn't an end of the advantages it offer.
The asymmetric nature of openpgp will allow the user to set up the same security key to multiple accounts without plugging the key itself. All they have to do is using their public key to encrypt the AUK of new accounts and send those to 1password.
Another advantage is security. Compared to traditional passkey unlock.
Unlike the traditional method, device keys will not be stored in unencrypted form for extended amount of time. Instead, the private key to decrypt AUK will remain in the secure element of a dedicated hardware, so it would be an ideal solution if your device doesn't have a hardware backed secure enclave.
If there are concerns about lusing the hardware key, this isn't going to be a problem as recovery code will come to rescue. It would even possible to generate a new pgp key pair inside backup security key and use that in place of recovery code.
I think this feature is a dream solution. Users will feel ultra convenient, login process will become ultra secure and it could even make 1password stay ahead on password manager market.
This feature would also allow devices with a secure enclave to be used in place of openpgp smartcards with some modifications.
I think this feature, if gets implemented, will definitely improve passkey unlock experience significantly.
Please note that I mixed the term security key and smartcard here, because not all security keys are smartcards and not all smartcards are security keys.
The term smartcard and security key both refer to a hardware devices that securely store cryptographic keys and performs cryptographic operations like key generation, encryption, decryption inside a dedicated secure cryptochip.
Please let me hear your thoughts on this feature.
Thank you

1Password Version: Not Provided
Extension Version: Not Provided
OS Version: Not Provided
Browser: Not Provided