Passkey unlocked using device passcode
Hi,
A silly question, maybe, regarding unlocking 1Password with a passkey.
I was one of the private beta users and, while I found it very convenient, there is an aspect that worries me a lot. Probably it’s just me not understanding the details, that’s why I am asking here.
In the blog post describing the introduction of passkeys to unlock 1Password (https://blog.1password.com/unlock-1password-individual-passkey-beta/) you can read:
“Once you’ve created a passkey, you can unlock 1Password by using biometrics or, as a fallback, the passcode that protects your device. You can then use your first device to set up more trusted devices with 1Password.”
Let’s imagine that someone has access to my iPhone and tries to get into 1Password.
Biometric will not work, as his face is different from mine.
With the current master password, he needs to guess a long and complex sequence of letters, numbers and special characters. Very difficult.
With the passkey, he will only need to guess the passcode that protects my device. Much easier than my master password.
Entropy level of the secret key of the passkey pair can be as high as possible, but if anyone can access it with the phone passcode (usually 6 digits, nobody will ever use a 26 characters random password as a phone passcode), can someone explain me how the passkey is as safe as the master password in a situation like the above?
Thanks!
1Password Version: Not Provided
Extension Version: Not Provided
OS Version: Not Provided
Browser: Not Provided
Comments
-
I agree with the above scenario! Very worrisome that 1Password can be opened by only a phone's passcode, if I select the unlock with Passkey option! In my opinion, that is a big security design flaw! I will not be turning that option on.
Apple in the new iOS 17.3 beta, is finally implementing some protection if someone steals your phone and is able to obtain your phone's passcode. They have added much needed protection to critical elements of your phone. Like requiring only biometrics to unlock your iCloud (Keychain) password database. The iPhone's passcode is no longer a fallback to unlock your iCloud (Keychain) password database, unless you are at home or work. But this new protection in iOS 17.3 will not apply to 1Password.
In my opinion, having a phone's passcode to unlock 1Password is a big step backwards in security for 1Password.
1 -
This is a fantastic question! I have this same concern. Using long and complex passwords for mobile devices can often be impractical, so I’d imagine that for the average 1Password user, their account will be less secure if they go down this passkey-only route (especially if they are using multiple devices).
I think having an option to disable the fallback and only unlock with biometrics would be vital. (There are always the recovery codes if something really goes wrong anyways).
I’m a big fan of passkeys for other logins through 1Password, but a password manager is only as secure as the master password and with this approach it will now be only as strong as your iPhone or Apple Watch passcodes.
2 -
So, it’s not only me having this concern!
Hopefully someone from 1Password will clarify the actual behaviour and the reasoning behind.
2 -
I also share the concern and if it is indeed the case that no extra PIN can be set and the telephone PIN cannot be switched off as a fallback, I would not use the function.
0 -
It seems that this feature depends on the secure element of the phone, just like the screen lock. Perhaps 1Password support can confirm or deny this.
1 -
More details from Dave here:
https://1password.community/discussion/143256/why-passkey-login-to-1password#latestI’m afraid I’ll stick to master password to protect my 1Password.
0 -
Hello everyone! 👋
Thank you for the questions! If you choose to sign up for the passkey unlock beta then you'll need to store your passkey somewhere safe like iCloud Keychain or Google Password Manager. To add your 1Password account to a new device you'll then need two things:
- Your saved passkey.
- Authentication from an existing trusted device where you're already using your 1Password account.
After you add your account, how you'll access your passkey for 1Password will depend on where you've stored it. If you've stored your passkey in iCloud Keychain then you'll use Face ID or Touch ID to access your passkey. If Face ID or Touch ID fails then iCloud Keychain will fallback to your device passcode which can be made more complex if you wish: Use a passcode with your iPhone, iPad, or iPod touch - Apple Support (CA)
The device passcode is required by iCloud Keychain, where you've saved your passkey to unlock 1Password. The prompt to use your device passcode does not come from 1Password itself.
If using your device passcode to access the passkey that unlocks 1Password doesn't fit your threat model then you can continue to use an account password and Secret Key to unlock your 1Password account instead.
Let me know if you have any questions. 🙂
-Dave
1 -
Thanks for your answer Dave.
If I understand correctly:
- the passkey needed to unlock 1Password resides outside of 1Password itself, of course.
- The policy to secure that passkey is demanded to who hold it, iCloud Keychain in this case.
- Apple policy is to fall back to device passcode is biometric fails.
If I rely on Apple iCloud keychain to unlock 1Password, it is like having all my credentials stored there, security-wise, as it will be possible to access all 1Password vault content with the security policy used to protect the passkey, falling back a 6-digits code for example.
With this in mind, I will personally stay with master password for 1Password.
Thanks for your time explaining this!
3 -
I came here with the same worries, and have found the ensuing dialog a bit confusing. So let me try a simple hypothetical:
I’ve set up my iPhone to unlock 1Password with a passkey. I’ve foolishly set my iPhone’s device code to 1234. A bad person picks up my phone, fails the biometric login, types 1234, and now has full access to everything in my 1Password account.
Is that true or not true?
0 -
I'm sorry for the confusion. How you access the passkey that you use to unlock 1Password depends on the provider that you've saved the passkey with and their available authentication methods. If you've saved your passkey for 1Password in iCloud Keychain then biometrics will be required to access that passkey. If biometrics fail then iCloud Keychain will fallback to the device passcode.
If you choose to save your passkey in iCloud Keychain then you can choose a more secure device passcode: Use a passcode with your iPhone, iPad, or iPod touch - Apple Support (CA)
You can also save your passkey in other places, such as a security key, which will leverage different authentication methods to provide access to your passkey.
I hope that helps! 🙂
-Dave
0 -
Thanks, Dave. In my opinion, creating the beautifully complex yet simple to use 1Password security model, and then allowing an unsophisticated user to nullify it all with a poorly chosen phone code, is a serious strategic blunder that will lead to tragic losses.
I do appreciate that you will allow us to keep the current excellent system, but I feel bad for the many folks who won’t understand the trap they’re falling into.
2 -
Thanks for the reply. You might be interested in the new Stolen Device Protection feature that Apple just introduced with the beta version of iOS 17.3. This feature provides an additional layer of security, helping to prevent access to your saved credentials in iCloud Keychain if your device is stolen and someone has obtained your device passcode.
I'm not running the iOS beta myself so I haven't had a chance to test the feature yet but it sounds like it might answer some of your concerns. 🙂
-Dave
0 -
Stolen Device Protection is now available, and it’s a great feature. While it reduces the risks, there are several weaknesses:
1. It’s not available on iPad, at least not yet
2. It doesn't protect the phone at home or work. Sadly, there may be people in these places seeking unauthorized access. Those people are especially likely to know, or have the knowledge to guess, a simple device passcode.What I would like to see is for 1PW to refuse to use a passkey from iCloud Keychain unless the phone was unlocked with a biometric. Apple is able to differentiate based on this – It’s the basis for stolen device protection – but I don’t know if that information is available to you as an app developer. If it is, I suggest you implement it, at least as an option.
0 -
What I would like to see is for 1PW to refuse to use a passkey from iCloud Keychain unless the phone was unlocked with a biometric.
I recommend sending your feedback to Apple as well since they control what options are available to unlock iCloud Keychain on your device. I'm not aware of a way for apps to know what method is used to unlock iCloud Keychain but, since I'm not a developer myself, I've passed along your suggestion to the team so that they can look into this further.
Thanks again for the feedback! 🙂
-Dave
ref: PB-37966324
0 -
It should be feasible to assign an additional PIN for 1Password, similar to the standard practice in most financial and banking applications, in the event that biometric verification fails.
0 -
Thank you for the feedback, most other apps just use authentication rather than end-to-end encryption and I'm not sure how feasible such an option would be with 1Password's security model. That being said, I've passed your comments along to the team. 🙂
-Dave
ref: PB-38025755
0
