Request: Allow log in from browser without forcing authorization from an already authorized device

Hi Dave, thanks for reply

I understood it needs 2 things to login to your cloud and decrypt the vault. 1. Passkey to authenticate against your servers 2. the already trusted device to confirm and decrypt the vault (or the recovery key). For the recovery process rednaxela123 complains that you need access to your email-Account and the recovery key. Which is a problem if your Mobile device got lost in vacation and it's the only device you have with you, and the access to eMail is also not possible as the password for eMail account is locked in the 1P vault where you don't have access. Or even worse when access to Mailbox is only possible with a fancy new passkey ;) )

So if you could decrypt the vault thru a certificate in addition, which can be installed on a Yubikey you could have that with you (Or put it at a friends house) - secure protected via PIN.

Idea would be to "hash" the required decryption secret in a certificate or digital signature which is stored on the Yubikey. So user can authenticate against your servers with the passkey and unlock the vault thru the certificate. Just to be clear - this should not replace the "approve access on trusted device" what is implemented now. It should be an additional method which is independent from Mailboxes and printed emergency recovery keys.
So flow is
1. login into 1Password.com
2. Manage credentials
3. Create digital decryption certificate / Signature
4. Store on yubikey

If you need to login to a new 1PW instance on a new device or foreign PC. 3 Methods
A. Passkey (eg. on iCloud or Google Cloud or Yubikey) + Approve on existing trusted 1PW instance - Standard process
Backup:
B. Passkey on Yubikey + Signature or certificate from Yubikey
C) eMail and printed recovery code