If I use a passkey aren't I making my login less secure?

I've been reading about passkeys and how they work in general and also how IPW will handle them. Still unclear to me how they work, how 1PW will handle them, and especially the implications of them vs what we have now.

I see some of the advantages of passkeys for security issues (caused especially by lazy users) but it seems like what this really amounts to is offloading the responsibility and liability of security from companies to users. This may be an improvement for lazy users (and for companies) but seems to cause some issues for the rest of us long-time users.

There is a lot of discussion about the security of biometrics. I have some concerns about that too. I even tried to make my iPhone recognize a photo of myself. It didn't work, but more sophisticated means might.. Even if biometrics can't be spoofed, there are other issues I've not seen mentioned elsewhere. Here is a common scenario I've seen in public. Someone unlocks their phone, say with friends at a restaurant, and lays it on the table. A thief could walk by and grab the phone off the table or even out of your hand. If this scenario means the thief can now change your device lock scheme and then access all your banking, we've got a problem and will see a lot more of this happening!

Using a PIN instead of biometrics won't help either. I use a complex 21 character PW to unlock 1PW when I need to use it. I don't want to have to enter that PIN every time I want to use my device. So having a 4 or 6 digit pin to get to all passkeys won't work for me.

What I want is a two-tier systems where a short pin can access my phone and low security passwords/passkeys that I use a lot with a more secure level for banking and other high risk passcodes. And I need a way to archive them online so if I'm in Europe and loose all my devices, I can buy a new one and get my passcodes back. Currently this is conveniently provided by putting low risk often used PWs into Safari PWs and the rest into 1PW with face recognition on the iPhone and a shorter but still robust PW for my laptop.

It's unclear to me at the moment if passkeys (and 1PW) will provide my desired use cases.

Hi @richardwarriner, thanks for your question!

Passkeys can provide the same level of security as a password plus two-factor authentication, with a lot less friction as they are two factors of authentication built into one. Passkeys cannot be remotely phished, socially engineered, or leaked. Those are the threats that two-factor authentication was designed to protect against.

In testing, I've found that accounts have continued to support an MFA option in addition to passkey sign in. So, you can sign in with your passkey saved in 1Password then use MFA to complete the flow. If you prefer to use both, you can likely continue doing so for the foreseeable future.

While I anticipate migrating away from MFA where passkeys are available, I can personally think of a few situation where I might want to keep MFA. For example, when visiting, younger members of my family often play games on my personal computer. Perhaps not the textbook definition of a "malicious actor" but if I forget to lock 1Password, having that extra layer of protection for banking or similar websites would certainly be appreciated if someone gets curious.

Let us know if you have any questions or if there's anything we can help with!

Hi,

you are not missing something.
This topic has been discussed with the saving of 2FA in 1P (search in the forum for a good read).

It is multiple things at the same time :
usability, convenience vs extra-security

In the end, it all depends on the risks you think you might face (with any solution).

In fact, it is the security of the device where 1P is installed which count (1P itself is really good).

1P is offering a huge convenience in usage with the passkey but I agree it feels a little too easy.

When passkey safe stored in a system, they are not in easily portable to another. 1P solves that and will extend it over time.

If you are the kind of person who use a double blind password(pwd stored in 1P should be completed each time with your own salt): you might feel unsafe.

I would like to suggest the dev to add an option to validate the usage of passkey (even some items or 2FA stored in 1P) via another device, a fingerprint or something else.
This would be optional and per item eventually.

For now, nobody is forcing you to use passkeys. So, it is up to you to use passkey in 1P or not.

Still your accounts are all tied to your email or phone number. From a security perspective, access to it must be strictly secured (i.e. if preview is allowed for emails / sms on your phone screen notifications > that might be enough to reset am account password).

With multiple devices, each one can be the weak point...