Signing back into the Community for the first time? You'll need to reset your password to access your account. Find out more.
Passkey unlocked using device passcode
Hi, A silly question, maybe, regarding unlocking 1Password with a passkey. I was one of the private beta users and, while I found it very convenient, there is an aspect that worries me a lot. Probably it’s just me not understanding the details, that’s why I am asking here. In the blog post describing the introduction of passkeys to unlock 1Password (https://blog.1password.com/unlock-1password-individual-passkey-beta/) you can read: “Once you’ve created a passkey, you can unlock 1Password by using biometrics or, as a fallback, the passcode that protects your device. You can then use your first device to set up more trusted devices with 1Password.” Let’s imagine that someone has access to my iPhone and tries to get into 1Password. Biometric will not work, as his face is different from mine. With the current master password, he needs to guess a long and complex sequence of letters, numbers and special characters. Very difficult. With the passkey, he will only need to guess the passcode that protects my device. Much easier than my master password. Entropy level of the secret key of the passkey pair can be as high as possible, but if anyone can access it with the phone passcode (usually 6 digits, nobody will ever use a 26 characters random password as a phone passcode), can someone explain me how the passkey is as safe as the master password in a situation like the above? Thanks! 1Password Version: Not Provided Extension Version: Not Provided OS Version: Not Provided Browser: Not Provided
Why passkey login to 1Password?
I can't understand the reason to spend development dollars to enable passkey login to 1Password account. I must be missing something here. I am a huge fan of passkeys and 1Password as the repository for all my passkeys, but logging into 1Password with a passkey makes no sense to me. My assumption is that to login to 1Password with a passkey, that passkey has to be stored on a device. For iOS/Mac that is iCloud keychain. For Windows, Linux, Android, or any other platform it will be stored somewhere else. Now the passkey, which is the gateway to my digital life, is stored in a whole bunch of places, with associated security or lack there of. If this assumption is correct, then 1Password seems to be passing off the security of the whole platform to other platforms which means it is out of their control, and inherently less secure. (iPhone passcode could give access to iCloud Keychain for example). One other question, if I loose all my devices, how do I get access to my 1Password account? No passkey or other logged in device available to validate. I go to 1password.com and ??? Help me understand why passkey login to 1Password is a benefit worth doing and using? Thanks! 1Password Version: Not Provided Extension Version: Not Provided OS Version: Not Provided Browser: Not Provided
Use of PRF extension
Hi, I've tried out the beta to unlock 1Password with a passkey, and it seems to work well, but I'm surprised that passkeys only serve the purpose of authentication. According to the white paper, the actual encryption key is stored on the already logged in clients, wrapped by a key provided by the server when the authentication succeeds. This is different from the way Bitwarden has released its passkey unlock beta. The encryption key is directly derived from the passkey using the FIDO2 PRF extension. This allows the use of security keys as passkeys. I know that 1Password does support physical tokens as passkeys too, but it is not of much use, since you need a trusted device to transfer the encryption key anyway, which means you can not rely on your key as a backup method. The absence of PRF also means that users can not take advantage of the passkey backup offered by Google Password Manager and iCloud Keychain. I think that the ability to set up PRF with supported authenticators would be a great addition to the system. It would allow a much more consistent experience and would probably prevent some account losses due to the recovery code not being saved (or access to the associated email being lost, e.g. because it was stored within 1Password). I know that not all platforms currently support PRF, but it is already quite widespread, as from what I have tried, at least Android, Chromium and YubiKeys do support it. Even users of unsupported browsers would benefit this feature since they could temporarily use a supported platform to regain access when needed. By the way, based on my test with Bitwarden, 1Password as an authenticator (for third-party websites) doesn't seem to support PRF. This would be a great addition too, because it's the most practical way to use zero-knowledge encryption with passkey login, so we can probably expect more and more websites to implement it. Thanks a lot for your work! Guillaume 1Password Version: Not Provided Extension Version: Not Provided OS Version: Not Provided Browser: Not Provided
Accessing 1Password with Passkey
(1) Can I access 1Password with multiple passkeys? (2) Can I access 1Password with a passkey stored on a Yubikey? (3) Can I access my account on 1Password.com with a passkey stored in 1Password, while unlocking the 1Password app using my master password? 1Password Version: 8.1.20 Extension Version: 2.17.0 for Chrome, 2.17.1 for Safari OS Version: MacOS Sonoma 14.1.1 Browser: Chrome and SafariCan I store the passkey for my 1Password account on a Yubikey?
Hey guys, I just read your newsletter about passkeys and login into 1PW.com and the authentication details. Is there any way to add the passkey and the "hidden secret" to a Yubikey - To have such kind of keys as backup? Or would the migration to 1PW.com Passkeys result in the need to have at least one PC, Smartphone, Tablet as trusted device. And Yubikeys won't be supported any more? (not from Webauthn perspective) but the hidden secret string can't be passed to the HW Key? 1Password Version: Not Provided Extension Version: Not Provided OS Version: Not Provided Browser: Not Provided
Recovery Code: Recent attempt was cancelled.
I have created a new test account and wanted to try out the recovery code. Unfortunately, I receive an error message stating "Recent attempt was cancelled" every time I attempt to log in, even after waiting several hours and generating new codes. 1Password Version: Not Provided Extension Version: Not Provided OS Version: Not Provided Browser: Not ProvidediOS Passkey with Github fails to create or login
Hi, I've made a Github passkey via the Edge browser on Win11 and it works great. Logging in via Edge is seamless. Now that passkey is saved into my 1P vault I thought I could use that on my iPhone so I went to Safari -> github.com and tried to login. Unlike in Edge where as soon as I go to the login page and 1Password pops up saying "Sign in with a passkey". In Safari on my iPhone I get various different errors. Starting from this page point: Sometimes 1P doesn't pop up to offer to log in. When it does it does not offer the passkey and instead fills in a user/password. After filling in with user/password the website then prompts for a passkey, when you try to use it github says "Authentication failed." If you click the github button saying "Sign in with a passkey" you either get "Authentication failed.", OR you get these iOS popups asking to scan a QR code which makes no sense to me; Also; I thought maybe 1P passkeys just aren't ready to be shared across devices yet so I logged in the usual way on Safari and tried to make a passkey on the iPhone. I get this error: 1Password Version: 8.10.16 Extension Version: Not Provided OS Version: iOS 16.6.1 Browser: SafariWill the future Unlock with passkey allow unlocking one device with another?
People have been asking to unlock 1Password on one device (typically the desktop apps or the various browser plugins) using another device, typically a phone with biometric unlock, for some time. See https://1password.community/discussion/86246/ or https://1password.community/discussion/68328/ I admit this feature would make my life easier, because I've been typing my master password dozens of times a day for years (on average 2 computers × 3 browsers × several lock timeouts a day.) But I don't want it to be easier at the expense of security. With the upcoming passkey support for 1Password accounts https://blog.1password.com/passkey-secret-key-account-security/ it seems that this could become a reality, because being public-private key pairs, passkeys should allow unlocking a device safely using another, without sharing private secrets. Will it be possible to: click on a browser extension icon or desktop icon on my PC; have my phone show a notification from the 1Password app, asking me to confirm unlocking 1Password on device X in country Y, or some such; be able to confirm the passkey using my phone's biometrics, which will sign the challenge that was created on the other device at step 1. and send it back over the network? 1Password Version: Not Provided Extension Version: Not Provided OS Version: Not Provided Browser: Not Provided
