Signing back into the Community for the first time? You'll need to reset your password to access your account. Find out more.
Forum Discussion
Former Member
2 years agoDisable Passkey support for AutoFill
I prefer to keep Passkeys in my iCloud Keychain because it's essentially syncing just on my iPhone & iPad, while 1Password has an archive file format, so those keys would essentially be files in the filesystem on my Windows PC.
The problem is that in iOS 17 I have to have both enabled for that. I liked the behavior back in iOS 16, where 1Password didn't declare Passkey support (because there was no API) and iOS auto-picked iCloud. Can that be added as an advanced switch to the app? Or does iOS 17 not allow password managers to declare Passkey support dynamically? (i.e. it's stuck in the manifest and can't be changed)
1Password Version: 8.10.16
Extension Version: Not Provided
OS Version: iOS 17.0.3
Browser: Not Provided
- 1P_Dave
Moderator
Hello @Smileybarry! đź‘‹
Thanks for the feedback! 1Password is designed to store all of your passwords and passkeys so that they're available on all of your devices. Can you tell me a little more about why you're storing passwords in 1Password and passkeys in iCloud Keychain?
It sounds like that would cause confusion, and duplicate items in different managers, as you update logins from using passwords to using passkeys. I look forward to hearing from you.
-Dave
- Former Member
Yes:
In general, I keep everything in my 1Password. The sole exceptions are:
- TOTP for accounts that need “real 2FA”, so I save their TOTP in a separately encrypted authenticator app;
- Some FIDO2 Security Keys for the same “real 2FA” reason; and
- Passkeys (except for the same cases where I’d save TOTP in 1Password anyway).
The reason for saving Passkeys elsewhere is defense-in-depth and ensuring the least credential theft possibility as I can. At work we keep our code signing keys on a hardware token to keep them from being stolen by an attacker. For that same reason, I prefer keeping some of my own keys on hardware or hardware-enforced platforms: Yubikeys, TPMs, etc.
While I love 1Password, it’s still essentially syncing a file-based archive around and accessing it with a userland application. I completely trust it from a brute-force perspective, but credential theft is another matter. (On a defense-in-depth level) Since websites are giving Passkeys a very high trust level, I’m wary of saving them in software for that reason.
I know iCloud Keychain means it’s not a “real” hardware key and not unexportable, but it’s at least properly separated on iOS/macOS/iPadOS and secured by each device’s secure element, that I trust it enough.
TL;DR / To sum up: It’s out of a defense-in-depth and tiering approach, put simply, some accounts are more important than others.
- 1P_Dave
Moderator
@Smileybarry
Thanks for the reply. I'm not an expert on how iCloud Keychain works but from my understanding the Keychain itself is not stored in the Secure Element:
The keychain is implemented as a SQLite database, stored on the file system.
Source: Keychain data protection - Apple Support (CA)
Malware exists that can steal the Keychain database: New macOS malware steals sensitive info, including a user's entire Keychain database
Because of 1Password's dual-key architecture, where your data is end-to-end encrypted using both your account password and your Secret Key, 1Password is the most secure place to keep your passkeys and ensure that they're available on all of your devices. You can read more about our security model here: About the 1Password security model
-Dave
- Former Member
You’re right regarding malware on macOS, but it’s sufficiently separated on iOS platforms, which I currently use with Keychain.
Additionally, I’m not sure if Keychain may run in a separate UID or guarded by the kernel in some way. (Whereas 1Password runs under the same user account on Windows at normal integrity, ergo elevation is not necessary to access its files)
But either way — one syncs with my computer, one currently does not (as I don’t own a Mac). So I can have a higher level of trust in it, given that my iOS devices aren’t jailbroken and nothing (save for extreme vulnerabilities) can access Keychain.
- 1P_Dave
Moderator
@Smileybarry
Thanks for the reply. It's important that your Windows PC is safe to use before you install 1Password since you're correct that 1Password can't protect you if your PC is infected with a malicious process that has access to your system. You can find more details in our Security White paper under the "Malicious processes on your devices" section: 1Password Security Design
If you're uncertain that your Windows PC is safe to use then I would avoid installing 1Password on that system at all in the first place. Alternatively, you could create a guest account in 1Password that only has access to a single vault with the data that you feel comfortable storing on your Windows PC and only add that guest account to the Windows PC:
iCloud Keychain, which can be synced to Windows as well, would be subject to the same considerations. Let me know if you have any questions.
-Dave
- Former Member
Hi again,
Yes, my computer is safe and secure. What I said regarding integrity level etc. is simply part of defense in depth and planning for unforeseen exploits, same reason why not everything runs at admin level, or Chrome uses process sandoxing at untrusted integrity for renderers.
Also — iCloud Passwords can sync with Windows, but just the usernames and passwords, and has to be enabled manually.
I know I’m not the average user — neither in needs nor in security planning from my time in infosec — which is why I suggested this (Passkey support) as an advanced toggle in the first place.
Would that be possible to add on iOS, and restore iOS 16 behavior?
- 1P_Dave
Moderator
@Smileybarry
Thanks again for the feedback. While I can't make any promises, I've filed a feature request on your behalf to add an option to turn off 1Password passkeys for AutoFill on iOS. Our product team will look into the request for future versions of 1Password.
-Dave
ref: PB-36196082
- Former Member
Hello,
any news about this topic? I want to use passkeys on my iPhone but I don't want to save them in 1Password. The fact that I'm forced to save them in 1Password is very annoying. - 1P_Dave
Moderator
@fabiograsso
Thank you for writing in. Can you tell me a little more about why you'd like to save your passkeys in iCloud Keychain and not 1Password? I would be happy to pass along your use case and request to the team as well.
-Dave
- Former Member
@fabiograsso If you go to settings -> passwords -> password options you can select both iCloud and 1Password as options for passwords and passkeys. This will give you the option to save passkeys to iCloud instead if you want, and it's my path forward for the time being.