Signing back into the Community for the first time? You'll need to reset your password to access your account.  Find out more.

Forum Discussion

lodaka's avatar
lodaka
Frequent Contributor
2 years ago

Passkey implementation and usage

Hello, I wasn't sure where to post this; so, please move this thread to an appropriate place if needed. After the recent update, I am now experimenting with the passkey function of 1Password. I've...
android
rickapel's avatar
rickapel
Occasional Contributor
2 years ago

This post captures my questions perfectly as I just created my first few passkeys this week. We need strategies in general as most of us now have a PW, passkey, and 2FA set up. We need advice on removing unneeded items to create a safe login while leaving a minimal set of attack vectors in place. I'm going to pile on my questions, hoping that others see them and respond,

1) One of the things I have in the back of my mind is if some of the advice would be based on how passkeys were implemented on the different web sites. Is this assumption correct?

2) When I was researching hardware devices, it was mentioned that a backup plan was necessary if the hardware was lost. I believe the advice was to set up 2 hardware devices in case you lost one so you could at least login and remove the 1st device.

In the instance of using 1password, I would not think that would be necessary as you have software copies of the passkeys on multiple devices. I would like this advice to be validated per the second comment from the OP, who received the "Your device is not registered" message.

I would think that a passkey is a passkey regardless of the device the client is using. My other thought on this is that the message the OP received above was sent due to a web site specific validation which might have been outside of the protocol used for the validation of passkeys.

(I do believe that one web site gave me a recovery key to be used but I'm going from memory on that one and just want to focus on getting these questions posted for now)

3) I share a few accounts with my kids (now adults), one who has their own 1password account, and one who does not.
I typically share a 1password link with the kid who has 1password and life is good. I've done this when creating OTP's and would assume the passkeys would migrate over too. Am I Correct on this assumption?

4) With the kid that doesn't use 1password, I managed to get him set up such that he uses a 3rd party app with the OTP key that I originally created with 1password. My kid who uses 1password quickly saw the value of it, but I'm still working on the other kid to start using it instead of using scraps of paper. Is there a way to export a passkey so that kid can temporarily use passkeys with a 3rd party app during the interim period?

Thanks in advance for any responses?
Fredrick (Rick) Apel