Signing back into the Community for the first time? You'll need to reset your password to access your account.  Find out more.

Forum Discussion

rednaxela123's avatar
rednaxela123
New Contributor
2 years ago

Request: Allow log in from browser without forcing authorization from an already authorized device

Hello, I am testing the unlock with passkey feature currently with Yubikeys. I added two Yubikeys as a passkey and I am able to use them on my iPhone and on the browser. But one thing is really a...
passkeys
rednaxela123's avatar
rednaxela123
New Contributor
2 years ago

As my discussion was deleted without any comment, I am posting it here again... as I really think that it is of concern

Feature request: Possibility to disable forced authorization by a trusted device when signing in on a new browser or device

I am testing the unlock with passkey feature currently with Yubikeys. I added two Yubikeys as a passkey and I am able to use them on my iPhone and on the browser. But one thing is really annoying:

  • the requirement to authorize a new browser on a trusted device when connecting to 1password from a different browser and the impossibility to disable this behavior

Why? Well let's describe a scenario which might happen quite easily...

  • I use 1password on my iphone and on my Mac
  • i am on a trip far from home, only with my iphone and my (heavy) mac is safe at home
  • My iPhone gets stolen
  • Of course my passwords are safe as they don't have any Yubikey neither the pincode
  • But now I am unable to get access to any password during the whole trip: if i borrow the computer of a friend 1password will refuse signing in with my Yubikey because it will send an authorization to my (stolen) iPhone and my Mac is alone at home !

... So simply by getting my phone stolen I am locked out of my digital identity because of that authorization : no emails, no social media account access, no banking app access ! Just a few examples of how annoying this can be.

Now don't come with you just have to setup a recovery code. Not only in my setup this is a big security leak (compared to simply adding enough backup yubikeys). Even if I do so, it won't be in my wallet while on holiday. It's in a bank deposit box or at home in some drawer.

I am aware that for most users the authorization feature is good and adds extra security especially if their master passkey is stored on the iphone itself.

But please add an option to disable forced authorization by a trusted device. It's (in my opinion) compromising the ease of use of passkeys.