Signing back into the Community for the first time? You'll need to reset your password to access your account. Find out more.
Forum Discussion
Passkey unlocked using device passcode
Hi,
A silly question, maybe, regarding unlocking 1Password with a passkey.
I was one of the private beta users and, while I found it very convenient, there is an aspect that worries me a lot. Probably it’s just me not understanding the details, that’s why I am asking here.
In the blog post describing the introduction of passkeys to unlock 1Password (https://blog.1password.com/unlock-1password-individual-passkey-beta/) you can read:
“Once you’ve created a passkey, you can unlock 1Password by using biometrics or, as a fallback, the passcode that protects your device. You can then use your first device to set up more trusted devices with 1Password.”
Let’s imagine that someone has access to my iPhone and tries to get into 1Password.
Biometric will not work, as his face is different from mine.
With the current master password, he needs to guess a long and complex sequence of letters, numbers and special characters. Very difficult.
With the passkey, he will only need to guess the passcode that protects my device. Much easier than my master password.
Entropy level of the secret key of the passkey pair can be as high as possible, but if anyone can access it with the phone passcode (usually 6 digits, nobody will ever use a 26 characters random password as a phone passcode), can someone explain me how the passkey is as safe as the master password in a situation like the above?
Thanks!
1Password Version: Not Provided
Extension Version: Not Provided
OS Version: Not Provided
Browser: Not Provided
- 1P_Dave
Moderator
Hello everyone! 👋
Thank you for the questions! If you choose to sign up for the passkey unlock beta then you'll need to store your passkey somewhere safe like iCloud Keychain or Google Password Manager. To add your 1Password account to a new device you'll then need two things:
- Your saved passkey.
- Authentication from an existing trusted device where you're already using your 1Password account.
After you add your account, how you'll access your passkey for 1Password will depend on where you've stored it. If you've stored your passkey in iCloud Keychain then you'll use Face ID or Touch ID to access your passkey. If Face ID or Touch ID fails then iCloud Keychain will fallback to your device passcode which can be made more complex if you wish: Use a passcode with your iPhone, iPad, or iPod touch - Apple Support (CA)
The device passcode is required by iCloud Keychain, where you've saved your passkey to unlock 1Password. The prompt to use your device passcode does not come from 1Password itself.
If using your device passcode to access the passkey that unlocks 1Password doesn't fit your threat model then you can continue to use an account password and Secret Key to unlock your 1Password account instead.
Let me know if you have any questions. 🙂
-Dave
There is a middle ground here
If 1P allowed use of yubikey passkey on android then you could store the passkey in a yubikey and not rely on android security to protect you
But so far yubikey only works on windows and not android
iPhone I've no idea
More details from Dave here:
https://1password.community/discussion/143256/why-passkey-login-to-1password#latestI’m afraid I’ll stick to master password to protect my 1Password.
I also share the concern and if it is indeed the case that no extra PIN can be set and the telephone PIN cannot be switched off as a fallback, I would not use the function.
So, it’s not only me having this concern!
Hopefully someone from 1Password will clarify the actual behaviour and the reasoning behind.
The process for unlocking 1Password with a passkey is described as: “…you can unlock 1Password by using biometrics or, as a fallback, the passcode that protects your device.”
When using an iPhone, does this mean that 1Password operates by first using Face ID to unlock the application – and, if that fails, then it accepts the device passcode (i.e., the PIN used to unlock the phone)?
If so, is there an option to configure 1Password on iOS to accept a user-specified PIN in place of the device passcode?
1Password Version: Not Provided
Extension Version: Not Provided
OS Version: Not Provided
Browser: Not ProvidedThis is a fantastic question! I have this same concern. Using long and complex passwords for mobile devices can often be impractical, so I’d imagine that for the average 1Password user, their account will be less secure if they go down this passkey-only route (especially if they are using multiple devices).
I think having an option to disable the fallback and only unlock with biometrics would be vital. (There are always the recovery codes if something really goes wrong anyways).
I’m a big fan of passkeys for other logins through 1Password, but a password manager is only as secure as the master password and with this approach it will now be only as strong as your iPhone or Apple Watch passcodes.
I agree with the above scenario! Very worrisome that 1Password can be opened by only a phone's passcode, if I select the unlock with Passkey option! In my opinion, that is a big security design flaw! I will not be turning that option on.
Apple in the new iOS 17.3 beta, is finally implementing some protection if someone steals your phone and is able to obtain your phone's passcode. They have added much needed protection to critical elements of your phone. Like requiring only biometrics to unlock your iCloud (Keychain) password database. The iPhone's passcode is no longer a fallback to unlock your iCloud (Keychain) password database, unless you are at home or work. But this new protection in iOS 17.3 will not apply to 1Password.
In my opinion, having a phone's passcode to unlock 1Password is a big step backwards in security for 1Password.
