1Password's threat model for storing 2fa and Passkeys in 1Password
We're discussing allowing whether to allow employees to store Passkeys in 1Password or use Apple keychain.
I've tried to find more details about how 1Password stores, generates and syncronizes passkeys, but I haven't had much luck, so I thought I would ask here:
what is the reasoning behind collapsing two factor auth into one factor (1 password)? What factors of 1Passwords implementation mitigate concerns about the device being compromised?
In my understanding, keys generation is moved from the device entirely into 1Password. Because this is (probably?) implemented in software vs using secure enclave / TPM, what assurances do you have for correctness (FIDO compatibility) and safety? Are these libraries open source and/or audited?
1Password doesnt seem to require additional challenges based location, IP change etc (i.e. adaptive security), something other passkey sync services like icloud and chrome do. Is there a rationale around this, or is functionality planned?
can you point me to any detailed 1Password documentation that exists around this? Most useful would be a threat model. Google searches and searches of your knowledgebase havnet led me there, Reddit discussions with speculation are the best I have been able to find.
Thank youk
1Password Version: Not Provided
Extension Version: Not Provided
OS Version: Not Provided
Browser: Not Provided