Why passkey login to 1Password?

That being said, if you do end up in a situation where you don’t have access to your email address on any of your devices then you can reach out to your email service provider for help with resetting the password for your email account. Once you’ve regained access to your email account, you’ll be able to use your recovery code to recover access to your 1Password account.>

I find it odd to fault a third party (mail provider) for this situation. Additionally, suggesting the activation of multiple devices seems impractical, considering the average user likely owns just a phone and a computer. The only sensible option to prevent the user from locking themselves out would be if the recovery key were tied to a passkey and not to an mail address.

Thanks for additional info. If they steal the iPhone, then they have the trusted device in their hand and the iCloud Keychain access, so little comfort there, and sure hope it is not easy to get access to email without credentials, but I get where you are headed, more than just the passkey is required. This is just not a direction I think I can support at this time for my users.

One other question along this line, if I work across iOS, Android, Windows, Mac, and Linux with multiple web browsers on each platform, and multiple devices (phone/tablet) on iOS/Android, do I get a unique passkey for each browser / device / OS? So I would now have a whole collection of passkeys? Or one passkey now on many devices?

Thanks again for the follow ups.

rallyn1password

Thank you for the reply. It's important to be aware that your passkey, stored in iCloud Keychain, is by itself not enough to add your 1Password account to a new device. You'll always need to perform an additional step: confirming the sign in from an existing trusted device.

In the worst case scenario of losing all my devices, and my email password is in 1Password, and you require me to have access to my email to recover my 1Password access, then I have just been locked out out of the platform, correct?

We recommend adding several trusted devices to your passkey account. A trusted device can be used to gain access to your account, or to grant access to another device should you lose one. This will allow each of your trusted devices to receive verification codes if you lose access on one of your devices, or need to sign in on a new one.

You're correct that your recovery code by itself is not enough to recover access to your 1Password account. You’ll also need access to your email address to receive a verification code. It's unlikely that you would lose access to all of your devices where you have access to your email at the same time.

That being said, if you do end up in a situation where you don’t have access to your email address on any of your devices then you can reach out to your email service provider for help with resetting the password for your email account. Once you’ve regained access to your email account, you’ll be able to use your recovery code to recover access to your 1Password account.

I appreciate the information, but at this point, I will not be allowing anyone in my family group / friends to use Passkey login to 1Password. Having to know a login name, password and security key is at least dependable, reliable, secure, and easy to explain and share between trusted users. Passkey login to 1Password seems to be none of those.

Passkey unlock for 1Password is currently in beta and you and your family/friends can certainly choose not to join the beta and just stick with your existing accounts. As the beta progresses we hope to share more regarding things like account recovery for family accounts and more. 🙂

-Dave

Thanks for the reply Dave.

So it sounds like my concerns are well founded. You are delegating control of access to 1Password to other platforms out of your control, like Apple's iCloud Keychain, which could be compromised by observing an iPhone unlock code and stealing the phone. Yes, Apple is belatedly, slowly trying to address it in some future release, and users can use Screen Time passcode, but in the meantime, your whole platform is at risk and it is not in your control. There will be other issues in the future, that is the one thing we can guaranty.

You also say:

Folks using the passkey unlock beta are able to generate a recovery code that can restore access to their account if they lose access to their passkey. They can save the code in a safe location, and use it if they need to recover access to their account after losing all other means of access. Access to the email address associated with a 1Password account will still be required for verification purposes.

In the worst case scenario of losing all my devices, and my email password is in 1Password, and you require me to have access to my email to recover my 1Password access, then I have just been locked out out of the platform, correct?

I appreciate the information, but at this point, I will not be allowing anyone in my family group / friends to use Passkey login to 1Password. Having to know a login name, password and security key is at least dependable, reliable, secure, and easy to explain and share between trusted users. Passkey login to 1Password seems to be none of those.

Hello rallyn1password, oUNderge, and 9elsen! 👋

Thank you for the great questions! I'll answer them below:

I can't understand the reason to spend development dollars to enable passkey login to 1Password account. I must be missing something here. I am a huge fan of passkeys and 1Password as the repository for all my passkeys, but logging into 1Password with a passkey makes no sense to me.

We want to make security simple and convenient. Passkeys are a great solution for the challenges we see some people face with the account password + Secret Key model.

If someone is less technically savvy, they might not understand that they need to have access to both their account password and Secret Key in order to sign into 1Password. Or they might forget where they've stored their Secret Key when they need it. Or they might have a good grasp on how things work when they sign up for 1Password but then run into trouble a year later when they get a new device, try to add 1Password to that device, and find themselves having to remember what terms like "Secret Key", "sign-in address" and "Emergency Kit" mean.

Even if you are technically savvy, the process to add your 1Password account to a new device can be complicated and require many steps. Passkeys make signing into your 1Password account easy, convenient, and secure and do away with the need to memorize an account password and look after a Secret Key: Unlock 1Password With a Passkey: Now in Beta

That being said, if you're happy with the existing account password + Secret Key model then you can stick with that, there's no need to change anything.

If this assumption is correct, then 1Password seems to be passing off the security of the whole platform to other platforms which means it is out of their control, and inherently less secure. (iPhone passcode could give access to iCloud Keychain for example).

If you sign up for the passkey unlock beta then I recommend storing the passkey for your 1Password account somewhere safe. iCloud Keychain is end-to-end encrypted which means that no one, not even Apple, can access your passkey.

Biometrics are used by iOS AutoFill to access your saved passkey in iCloud Keychain. If biometrics fail then your iPhone will indeed fallback to your device passcode which you can change to be more complex if needed: Use a passcode with your iPhone, iPad, or iPod touch - Apple Support (CA)

The iOS 17.3 beta also introduces Stolen Device Protection which will provide an additional layer of security preventing access to your saved credentials in iCloud Keychain if your device is stolen and someone has obtained your device passcode.

One other question, if I loose all my devices, how do I get access to my 1Password account? No passkey or other logged in device available to validate. I go to 1password.com and ???

Folks using the passkey unlock beta are able to generate a recovery code that can restore access to their account if they lose access to their passkey. They can save the code in a safe location, and use it if they need to recover access to their account after losing all other means of access. Access to the email address associated with a 1Password account will still be required for verification purposes.

Our support page includes instructions on how to generate and save your recovery code: Unlock 1Password with a passkey (beta)

I hope that helps! 🙂

-Dave

Now the passkey, which is the gateway to my digital life, is stored in a whole bunch of places, with associated security or lack there of.

The platform owners (Google/Apple/Microsoft) are offering native support for passkeys, if they do not build that secure I guess the whole idea of passkeys goes down the drain?

As a user I have had the same thoughts. I wonder if 1password will let you store your passkey for your1password account on a USB drive which you could store in multiple safe places like: 1 in your home safe, 1 in your safe-deposit box and 1 in the home safe of a family member. I am sure you can appreciate the importance of having mutliple copies for redundancy.