Getting started with 1Password for your growing team, or refining your setup? Our Secured Success quickstart guide is for you.
Forum Discussion
I don't get Passkeys...
Hi all, I'm sorry if this is a dumb post, but after a bit of online exploration, I just don't understand how passkeys relate to 1Password. I've been using the latter for years, in what I *think* is a fairly successful process of creating and managing secure passwords via the app. However, I was recently prompted to setup a passkey via google - and now I have so many questions. I'll start here: do I need to turn all of my "logins" in 1Password to passkeys?
Thanks!
2 Replies
Passkeys and 1password are different, but somewhat related things. Don't get confused by how they have similar spellings.
To make a simple analogy, a passkey is like a key, 1password is a keyring.
But a passkey is a special key that can answer a mathematical challenge based on cryptography.Passkeys provide a big upgrade in that it takes a big burden off of service providers like Google, Microsoft, and any site where you have to securely log in. The typical ID / password combination requires a lot of diligence to properly set up and protect on the server side, and we as users have no idea whether it's done right. If a website gets hacked, it's sometimes possible for hackers to reverse-engineer people's passwords. (And this gets worse since people are lazy and re-use the same PWs on many sites.)
With passkeys, this reverse-engineering of credentials is impossible. There's nothing for hackers to get. And it's also impossible for users to re-use the same passkey on different websites.
As for myself, I would never store a passkey in a cloud password manager like 1password, unless 1pw was authenticated with a physical token like a yubikey. That being said, yubikeys implement the same underlying FIDO2 protocol used by passkeys, but it's impossible to compromise a yubikey without physically possessing it.
Should you switch all Google logins to Passkeys? It depends on your threat model. Google is definitely moving toward this standard, and you probably already have passkeys set up in your Google account without even knowing it.
I personally did not move my Google Accounts to passkeys, with the exception of accounts where I keep sensitive information, AND I need to be able to get into those accounts in a purely software manner (e.g. passkey stored in 1pw) rather than requiring a physical hardware token like a yubikey.
For the average person, I would indeed suggest switching to passkeys, because the average person is very likely to fall for scams that would get their account PW compromised anyway. Passkeys are a much better barrier to this kind of compromise.
Passkeys are an example of public key cryptography. A flawed phsyical analogy: you have a key which splits in two, you give copies of the "public" half to the owners of all the doors which you want to unlock for them to install in the locks, but only when you insert your "private" half does the key open the lock.
1Password is handling all the key creation, storage, sharing, and the protocol for using it for you, leaving you to choose where and when to use each one. The only part not yet fully worked out is how to safely take your private keys out of 1Password or bring an existing key into 1Password (but they are working on it).
