Passkeys Support
Hey!,
On the topic of todays blog post. I just wanted to ask for clarification on one point.
If your "password" to 1Password is a Passkey (as was indicated will be possible in the blog post), that key, I assume is created and stored by the OS you created it on, and synced, by the platform vendors system (if they provide one, iCloud, Microsoft, Google, etc)?
If that is the case, I know you can sign into an alternative platform by using a QR code etc. My question then is, what happens if you need to sign in to a device that does not already have your key synced and you don;t have another device to authenticate?
I know this may be highly unlikely, but am I right in saying that in that unlikely event, you'd be unable to access your account?
Will it be possible to have a passkey AND a password (that you could set stupidly complex and long) to use a backup to gain access?
Thanks. Really really really looking forward to the rollout of Passkey support. When's it coming?
1Password Version: Not Provided
Extension Version: Not Provided
OS Version: Not Provided
Browser:_ Not Provided
Comments
-
I was just wondering about this today also, as I tried setting up a passkey for one site.
Consider the disaster that just occurred in Turkey. I'm sure more than one person lost all of their devices that day.
For the site I tried today, since 2FA was enabled for the site, I had to use 1Password to get the 2FA code. So, using a passkey was more troublesome than the traditional login method. But it's early yet.
0 -
@MrC This is a really good point, is what happens if you lose all your devices, how a recovery would be possible, with only a passkey.
0 -
That’s why I am hoping you can somehow use more than one passkey and even physical security keys, like the YubiKey.
However, I’m not sure how different keys can be used to generate the same encryption key/secret.
0 -
@XIII yes, it will be interesting on how this is implemented.
0 -
@XIII I hope for something similar and am looking forward to some clarification. It seems like some kind of bizarre loop having all the details saved within 1PW and then the keys to get into 1PW saved within one of the items that's in the 1PW vault itself.
My main concern is recovery and back up. I've spent a long time getting it right for my family so we can access each others accounts if needed, this would essentially make that redundant.
For my on the face of it, it seems like my current set up and keeping a password for 1PW is the way forward. And then using Passkeys for items in 1PW itself. That could be the sweet spot. For now at least.
0 -
For my on the face of it, it seems like my current set up and keeping a password for 1PW is the way forward. And then using Passkeys for items in 1PW itself. That could be the sweet spot. For now at least.
This is precisely what I was thinking of doing. Continue to use my Master Password, but keep it 100% unique and as well secured as ever.
It just seems weird to me, as you said, to use 1Password to syncronise passekeys for everything but then not be able to store the passkey to 1PW within (the chicken and egg scenario rears its ugly head). It's makes sense but then we'd be relying on a platform specific syncing service such as Microsoft, Google or Apple to sync that 1 specific key, but everything else would be synced on a cross platform sycning service (1PW).
I understand the issue here and do not know of a solution to it but thought i'd comment nonetheless.
0 -
@rctneil It makes sense to me to not store the passkey for 1PW in 1PW itself. That's like the safe key in the safe kind of thing. Apologies if that's what you took from my comment originally. I meant like you mention having a secondary service like Apple storing the 1PW passkey is bizarre, especially if the Apple details are within 1PW. It could lead to a lock out or inability to implement a recovery should something happen to the user.
I love the idea of passkeys and think they will be the future, and also help the average joe (not just us security geeks) stay much safer online. And I want everything in my 1PW account to eventually be a passkey and not a password.
However, I can't work out in my head a single way where I'd want to replace the Master Password and Secret Key combination for 1PW itself with a passkey given I would need an additional service to manage this and ensure it was recoverable etc, I also think in my head it's less secure than the MP & SK combination we currently have.
I am hoping one of the people significantly more clever than me, maybe the dark arts man himself @jpgoldberg will weigh in with how this could end up looking in the future.
0 -
Any update from 1Password regarding all this?
0 -
Any comments from the team? Also any news about when passkey support is arriving? Even any insider program to trial it?
0 -
Hey @rctneil,
Long time no chat. :) I'm sorry I missed this thread when you started it last month. You've raised some great questions, and your excitement is contagious! I wish I could offer you a link to an insider program right now, and while that's not possible just yet, you're inspiring me and the team to work faster. 💪
My question then is, what happens if you need to sign in to a device that does not already have your key synced and you don;t have another device to authenticate?
This is the trillion dollar question when it comes to passkeys, and it's one of the reasons we are taking our time to make sure we get this right.
With passkeys, your trusted devices become your credentials. This might be a big mental hurdle to cross for people who are used to passwords. But in practice most of us already use our phones this way: we pay with credit cards in Apple Wallet, we use digital tickets and boarding passes, and we rely on devices for MFA and for SMS/email verification. We also rely on our phones to unlock 1Password and access our passwords on the go, as well as to sign in on new devices.
Of course, there still needs to be an answer for what to do if something happens to all your devices (or to you). We're exploring multiple recovery options, ranging from the ones you get "for free" from your device vendor, like iCloud device backup and recovery contacts, to the family/team recovery feature which we already have in 1Password, to novel approaches for designating trusted contacts. Our goal is for passkey users to be able to set up as many recovery options as they need to have pece of mind without compromising security, just like they can today.
This is precisely what I was thinking of doing. Continue to use my Master Password, but keep it 100% unique and as well secured as ever.
I think sticking with a password can make sense for people who are confident about their security setup. If you put in the work to memorize a strong, unique password and ensure that you have a properly secured Emergency Kit, you are in a great place. But the unfortunate truth is that so many 1Password users struggle to get there. Passkeys give us a chance to make real progress in secure usability, especially for newer and less technical users.
So I can also see a future where you might use a carefully secured password for your own family organizer account, but your kids use passkeys because it's much easier for them, while still being secure and recoverable in an emergency. We are going to make sure that we support mixed environments like this where some users in some accounts use passkeys, while others don't. It really depends on what makes sense for each individual, family, and organization.
I could go on and am so excited to share more soon, but I hope I've given you something to think about for now! Please let me know if there's anything else on your mind about passkeys.
-Mitch
0 -
@Mitch Thankyou! That all sounds very sensible and along the lines my thoughts were headed.
That "Insider program" you mentioned...
I did register to take part in one. It's not that one is it? Just wanted to ensure as i'm sure you have many internally to 1Password as well as ones that people outside of 1PW can take part in.
Please take your time with passkeys and i do very very much look forward to transitioning some of my accounts to using them with 1PW support to manage it all behind me!
Thanks again!
0 -
My question then is, what happens if you need to sign in to a device that does not already have your key synced and you don't have another device to authenticate?
I came across this topic because I asked myself the same question.
I guess, a solution to the problem could be a printout with a QR code containing the private and public key material of the passkey (and maybe additional information defined by the FIDO2 spec if necessary), similar to 1Password's Emergency Kit PDF. This paper backup could then be stored in a safe place like a safe deposit box.
And maybe with the option to encrypt the exported passkey with a password, as the QR code of the current Emergency Kit only contains the Secret Key, wich is not sufficient information to access a 1Password account. Of course, users are still free to write down this password on the same piece of paper (like they are right now with the empty box for the master password in the Emergency Kit).
0 -
you could also save your passkey on a security key like a yubikey which is more robust and resilient than a device like a smartphone
0 -
I agree, it would definitely be a good backup solution to store an additional YubiKey in a safe deposit box. But I doubt that the majority of 1Password users will get an additional device for about 50 USD "just" to have a backup of their login credentials.
0 -
it's getting more affordable, this is all you need : https://yubico.com/us/product/security-key-series/security-key-c-nfc-by-yubico-black/
or they can still use the masterpassword + secret key which is secure enough
0 -
True, better than 50 bucks =) But still, even though I also love using my YubiKeys, I don't think they'll ever be a mainstream product, even if they were handed out for free.
0 -
It’s great that 1password will support passkeys, but please maintain the ability to bootstrap back into any environment with a secret and master password. Its crucial for independence. Please don’t outsource the restoration of devices/1password to Google/Apple ecosystems. I don’t want someone who can crack into those ecosystems being able to bootstrap into my 1password account.
0
