Signing back into the Community for the first time? You'll need to reset your password to access your account. Find out more.
Forum Discussion
Passkey unlocked using device passcode
Hi,
A silly question, maybe, regarding unlocking 1Password with a passkey.
I was one of the private beta users and, while I found it very convenient, there is an aspect that worries me a lot. Probably it’s just me not understanding the details, that’s why I am asking here.
In the blog post describing the introduction of passkeys to unlock 1Password (https://blog.1password.com/unlock-1password-individual-passkey-beta/) you can read:
“Once you’ve created a passkey, you can unlock 1Password by using biometrics or, as a fallback, the passcode that protects your device. You can then use your first device to set up more trusted devices with 1Password.”
Let’s imagine that someone has access to my iPhone and tries to get into 1Password.
Biometric will not work, as his face is different from mine.
With the current master password, he needs to guess a long and complex sequence of letters, numbers and special characters. Very difficult.
With the passkey, he will only need to guess the passcode that protects my device. Much easier than my master password.
Entropy level of the secret key of the passkey pair can be as high as possible, but if anyone can access it with the phone passcode (usually 6 digits, nobody will ever use a 26 characters random password as a phone passcode), can someone explain me how the passkey is as safe as the master password in a situation like the above?
Thanks!
1Password Version: Not Provided
Extension Version: Not Provided
OS Version: Not Provided
Browser: Not Provided
- 1P_Dave
Moderator
Thank you for the feedback, most other apps just use authentication rather than end-to-end encryption and I'm not sure how feasible such an option would be with 1Password's security model. That being said, I've passed your comments along to the team. 🙂
-Dave
ref: PB-38025755
It should be feasible to assign an additional PIN for 1Password, similar to the standard practice in most financial and banking applications, in the event that biometric verification fails.
- 1P_Dave
What I would like to see is for 1PW to refuse to use a passkey from iCloud Keychain unless the phone was unlocked with a biometric.
I recommend sending your feedback to Apple as well since they control what options are available to unlock iCloud Keychain on your device. I'm not aware of a way for apps to know what method is used to unlock iCloud Keychain but, since I'm not a developer myself, I've passed along your suggestion to the team so that they can look into this further.
Thanks again for the feedback! 🙂
-Dave
ref: PB-37966324
Stolen Device Protection is now available, and it’s a great feature. While it reduces the risks, there are several weaknesses:
1. It’s not available on iPad, at least not yet
2. It doesn't protect the phone at home or work. Sadly, there may be people in these places seeking unauthorized access. Those people are especially likely to know, or have the knowledge to guess, a simple device passcode.What I would like to see is for 1PW to refuse to use a passkey from iCloud Keychain unless the phone was unlocked with a biometric. Apple is able to differentiate based on this – It’s the basis for stolen device protection – but I don’t know if that information is available to you as an app developer. If it is, I suggest you implement it, at least as an option.
- 1P_Dave
Thanks for the reply. You might be interested in the new Stolen Device Protection feature that Apple just introduced with the beta version of iOS 17.3. This feature provides an additional layer of security, helping to prevent access to your saved credentials in iCloud Keychain if your device is stolen and someone has obtained your device passcode.
I'm not running the iOS beta myself so I haven't had a chance to test the feature yet but it sounds like it might answer some of your concerns. 🙂
-Dave
Thanks, Dave. In my opinion, creating the beautifully complex yet simple to use 1Password security model, and then allowing an unsophisticated user to nullify it all with a poorly chosen phone code, is a serious strategic blunder that will lead to tragic losses.
I do appreciate that you will allow us to keep the current excellent system, but I feel bad for the many folks who won’t understand the trap they’re falling into.
- 1P_Dave
I'm sorry for the confusion. How you access the passkey that you use to unlock 1Password depends on the provider that you've saved the passkey with and their available authentication methods. If you've saved your passkey for 1Password in iCloud Keychain then biometrics will be required to access that passkey. If biometrics fail then iCloud Keychain will fallback to the device passcode.
If you choose to save your passkey in iCloud Keychain then you can choose a more secure device passcode: Use a passcode with your iPhone, iPad, or iPod touch - Apple Support (CA)
You can also save your passkey in other places, such as a security key, which will leverage different authentication methods to provide access to your passkey.
I hope that helps! 🙂
-Dave
I came here with the same worries, and have found the ensuing dialog a bit confusing. So let me try a simple hypothetical:
I’ve set up my iPhone to unlock 1Password with a passkey. I’ve foolishly set my iPhone’s device code to 1234. A bad person picks up my phone, fails the biometric login, types 1234, and now has full access to everything in my 1Password account.
Is that true or not true?
Thanks for your answer Dave.
If I understand correctly:
- the passkey needed to unlock 1Password resides outside of 1Password itself, of course.
- The policy to secure that passkey is demanded to who hold it, iCloud Keychain in this case.
- Apple policy is to fall back to device passcode is biometric fails.If I rely on Apple iCloud keychain to unlock 1Password, it is like having all my credentials stored there, security-wise, as it will be possible to access all 1Password vault content with the security policy used to protect the passkey, falling back a 6-digits code for example.
With this in mind, I will personally stay with master password for 1Password.
Thanks for your time explaining this!
