Signing back into the Community for the first time? You'll need to reset your password to access your account.  Find out more.

Forum Discussion

rednaxela123's avatar
rednaxela123
New Contributor
2 years ago

Request: Allow log in from browser without forcing authorization from an already authorized device

Hello, I am testing the unlock with passkey feature currently with Yubikeys. I added two Yubikeys as a passkey and I am able to use them on my iPhone and on the browser. But one thing is really a...
passkeys
1P_Dave's avatar
1P_Dave
Icon for Moderator rankModerator
2 years ago

rednaxela123

Thank you for the reply. When you choose to unlock your 1Password account with a passkey, a unique and random device key is created and stored on your device. This device key never leaves your device and it is used to protect the account unlock key that decrypts your items. It is the combination of your passkey (authentication) and the device key (encryption) that is used to unlock 1Password on your device.

On macOS and iOS devices, since you mentioned iCloud Keychain, we protect the device key with your device's hardware security features.

If i would carry the new recovery key with me that seems more dangerous: an unlocked stolen phone gives access to email account, so if i also get my wallet stolen (with the recovery key) they can gain access to 1password and i would have no way to stop it

The recovery code isn't meant to be used to add your 1Password account to new devices, you use your passkey and an existing trusted device to do that. The recovery code is meant to be used rarely as an emergency measure in those situations where you've lost access to either your passkey or to all of your trusted devices.

If someone steals your phone then 1Password would still be protected since the thief wouldn't be able to unlock the phone without your face/fingerprint or device passcode. If your phone is unlocked then they wouldn't be able to unlock 1Password itself without your face, fingerprint or your passkey.

When printing the recovery code, we designed the print out to exclude any reference to your specific 1Password account to avoid a thief from knowing what account the code was for. I would still recommend storing it somewhere safe.

i naively thought that my good old master password would simply have been replaced by a strong key on the Fido2 device (yubikey, secure enclave) secured by a pin or biometrics.

You can already save a passkey for your 1Password account on a security key if you wish: Unlock 1Password with a passkey (beta)

To add your 1Password account to a new device you'll need the passkey (from either platform manager like iCloud Keychain or your security key) and confirmation from an existing trusted device.

-Dave