Signing back into the Community for the first time? You'll need to reset your password to access your account.  Find out more.

Forum Discussion

Former Member's avatar
Former Member
2 years ago

Disable Passkey support for AutoFill

I prefer to keep Passkeys in my iCloud Keychain because it's essentially syncing just on my iPhone & iPad, while 1Password has an archive file format, so those keys would essentially be files in the ...
ios
Former Member's avatar
Former Member
2 years ago

Yes:

In general, I keep everything in my 1Password. The sole exceptions are:

  • TOTP for accounts that need “real 2FA”, so I save their TOTP in a separately encrypted authenticator app;
  • Some FIDO2 Security Keys for the same “real 2FA” reason; and
  • Passkeys (except for the same cases where I’d save TOTP in 1Password anyway).

The reason for saving Passkeys elsewhere is defense-in-depth and ensuring the least credential theft possibility as I can. At work we keep our code signing keys on a hardware token to keep them from being stolen by an attacker. For that same reason, I prefer keeping some of my own keys on hardware or hardware-enforced platforms: Yubikeys, TPMs, etc.

While I love 1Password, it’s still essentially syncing a file-based archive around and accessing it with a userland application. I completely trust it from a brute-force perspective, but credential theft is another matter. (On a defense-in-depth level) Since websites are giving Passkeys a very high trust level, I’m wary of saving them in software for that reason.

I know iCloud Keychain means it’s not a “real” hardware key and not unexportable, but it’s at least properly separated on iOS/macOS/iPadOS and secured by each device’s secure element, that I trust it enough.

TL;DR / To sum up: It’s out of a defense-in-depth and tiering approach, put simply, some accounts are more important than others.