Signing back into the Community for the first time? You'll need to reset your password to access your account. Find out more.
Forum Discussion
Why passkey login to 1Password?
I can't understand the reason to spend development dollars to enable passkey login to 1Password account. I must be missing something here. I am a huge fan of passkeys and 1Password as the repository for all my passkeys, but logging into 1Password with a passkey makes no sense to me.
My assumption is that to login to 1Password with a passkey, that passkey has to be stored on a device. For iOS/Mac that is iCloud keychain. For Windows, Linux, Android, or any other platform it will be stored somewhere else. Now the passkey, which is the gateway to my digital life, is stored in a whole bunch of places, with associated security or lack there of.
If this assumption is correct, then 1Password seems to be passing off the security of the whole platform to other platforms which means it is out of their control, and inherently less secure. (iPhone passcode could give access to iCloud Keychain for example).
One other question, if I loose all my devices, how do I get access to my 1Password account? No passkey or other logged in device available to validate. I go to 1password.com and ???
Help me understand why passkey login to 1Password is a benefit worth doing and using?
Thanks!
1Password Version: Not Provided
Extension Version: Not Provided
OS Version: Not Provided
Browser: Not Provided
A major problem for me with the 1password passkeys implementation is that the passkey isn't used for encrypting the unlocking keys, similar to how the secret key + account password is used.
Instead, it's just used to authenticate yourself against the 1password servers for enrolling a new client, and even if you unlock 1Password. According to the security design paper, it's also possible to unlock 1password offline, and in this case the OS biometric system is used. I'm using Windows, so Windows Hello is used to provide and validate my passkey.
According to the security design paper, a "credential bundle" is decrypted by the device key, and the keys required to decrypt the vault data become available.
However, where is the credential bundle stored in this case on my Windows PC, and the device key? I see a possible attack surface on the credential bundle and the device key, because on Windows there isn't a protected storage except in the TPM, and TPM usage isn't mentioned anywhere. So I'd like to see proof that it isn't possible to crack my local 1password database if someone just copies my system disk and gets access to every single file on my computer.
As far as I read, the device key is the crucial part, and on Windows it isn't stored in a secure storage, so it's possible to obtain it from anyone who has access to the hardware.
And that's the difference between passkey implementation and secret key+password: someone with access to the hardware only has access to the secret key. He still isn't able to decrypt the vault data, because he still hasn't the account password, the second half of what is used to encrypt everything.
But with passkeys, you're only authenticating against some API, and this API can be circumvented - you just need to emulate it or provide your own implementation.
A major drawback of passkeys also is the complexity of the implementation. People simply don't understand how it works as a whole. But if you don't understand something, you don't trust it. The inner working is obscure, is a blackbox, and is in vast contrast to the user experience. The user experience is that there is a popup, you click a button, and you're logged in (optionally with a short pin). And I am supposed to trust that what went on behind the scenes that moment is more secure than using userid+password. And that's my acceptance problem. Is all this magic working behind the scenes actually secure? Isn't there any secret data drain to some spyware? Is the good user experience actually just the peak of good program design, or is it just a dummy, and behind the scenes some very primitive and not secure at all mechanism just says: "give him access"?
In the end, it's again a matter of trust. I have to trust people, if they say: "our passkeys implementation is secure, and it is more secure than using passwords". With passwords, I can choose good passwords to control some kind of security level. But with passkeys, I have no control.
timl23 , hardware keys become ineffective if there is no access to additional trusted devices. This represents a significant flaw in this type of implementation and contradicts the purpose of passkeys.
One thing that seems to be missing from the discussion here is that the passkey for 1password can be stored on a security key. That way you don’t have to rely on Apple or Google ecosystems, although you can use them in addition to the security key, if you so desire.
- 1P_Dave
Moderator
Thank you for the feedback regarding the beta! I've passed your comments and requests for more recovery options along to the team internally. 🙂
-Dave
ref: PB-37671036
ref: PB-37671063 I completely agree. 1P needs to be accessible with nothing but passkey on a hardware key (or 2 passkeys at least).
I have made a suggestion of a different approach here which I think solves the issues with 2 passkeys on a yubikey. I would love to see a reply from someone knowledgable to see why it wouldnt work.
If you are requiring a second factor for passkey login (which I did not think was a thing), then why not use the Secret Key? Email makes no sense, as I have lost access to email as I cannot get into 1Password to get my email password.
I thought the idea of passkeys was that 2FA is already addressed as to access the passkey, you have to biometrically authenticate to the passkey store. So why the added hurdle for 1Password? It seems at odds with the whole idea of passkeys.
My understanding also is that passkeys cannot be stored outside of a designated passkey storage platform for security, as biometrics or other 2FA are required. So how do I get into iCloud Keychain or Google Password manager without access to 1Passowrd to login?
This continues to look like a circular problem with the result of being locked out of 1Password if I lose all devices.
The problem with the proposed solution is that it implies the loss of all devices and the mailbox are separate events, which isn't true. For most users, their mail password is most probably stored in 1Password. I really hope another (additional?) solution is implemented here that can truly be a lifesaver in such situations.
And I'd like to take this opportunity to wish the 1Password team a Merry Christmas.
- 1P_Dave
Thanks for the reply. If you choose to unlock 1Password with a passkey, I recommend storing that passkey in a synced passkey provider and have this provider signed in on more than one device (iCloud Keychain on your iPhone and Mac or Google Password Manager on your phone and browser).
If you've saved your passkey in one provider (such as iCloud Keychain) you can still sign in using that passkey on a device that doesn't support that provider by scanning a QR code. Alternatively, you can add multiple passkeys to your 1Password account from each platform provider that you use.
I'm sorry for being unclear, no one is being faulted here. I was just providing an option that might be helpful in a situation where you've lost all of your devices and lost access to your email account. 🙂
Passkey unlock for 1Password is currently in beta and the team appreciates your feedback as we continue to iterate. I've passed along your thoughts regarding the recovery code process to the team.
-Dave
ref: PB-37487363
ref: PB-37487423
