It’s Cybersecurity Awareness Month! Join our interactive training session, or learn about security and AI from 1Password experts.
Forum Discussion
Nuts and bolts of using Passkeys
I am a relatively long time user of 1P but so far a 'never' user of passkeys. I'm sure it is in my best interest to use them but I am still uneasy with the "nuts and bolts" of their implementation for my accounts.
Lets take GMail as an example as it is the most important service I have outside of 1P, that requires protection.
I am prompted by Google, not infrequently, to adopt a passKEY log in but so far I have declined. Right now, when I need to log in I use 1P to obtain the stored password and if necessary, if asked for, use my physical Yubikey (or my AEGIS authenticator to generate a TOTP).
IF I take Google up on its offer to establish a log in using a passkey...
- will I be prompted to save it in 1P as is the case when generating a "traditional" password? Is this passkey saved within 1P AND on my machine (independent of 1P)?
- I would imagine that with GMail one can then sign in using only the passkey generated previously (with no "need" for my yubikey or Aegis authenticator) and no longer requiring the previously established passWORD. But (any)one can still log into my GMail account using that long held password (but still needing one of my 2FAs?). So still being able to sign into my GMail account traditionally seems like a security flaw?
- I have several devices for which I view my GMail accounts. If any of these devices has 1P installed on it can I use that same saved single passkey or do I need to create and save a separate passKEY for each device? If the latter, I would need to be more specific in the appropriate 1P entry as to which goes with which?
1 Reply
- 1P_Dave
Moderator
Hello jmjm! 👋
Thanks for reaching out! Passkeys are a modern alternative to passwords – they enable people to log in to their online accounts without having to enter a password. Passkeys are based on a public-private key pair – one key is public and connected to the website or app you’re using, the other key is private and stored in 1Password.
Once you've created and saved one passkey for an account using 1Password on one device there's no need to create another passkey using 1Password on another device. 1Password makes sure that the passkey that you saved on one of your devices will be immediately available for sign-in on the rest of your devices. Passkeys are encrypted and saved directly to your 1Password account just like passwords and other items that you already store in 1Password.
You can read more about saving and signing in with passkeys here:
- Save and sign in with passkeys in your browser
- Use 1Password to save logins and sign in to apps and websites on your iPhone and iPad
But (any)one can still log into my GMail account using that long held password (but still needing one of my 2FAs?). So still being able to sign into my GMail account traditionally seems like a security flaw?
Passkeys can’t be phished like a traditional password because the underlying private key never leaves 1Password – this also makes them resistant to the social engineering scams that 2FA is primarily meant to protect against.
Some websites will allow you to remove the username/password entirely but others require that you keep both options. Part of the reason why many services leave passwords as a fallback option is because, for their website and apps, passkeys may not be supported across all devices and platforms yet. Even if you can't remove your old password then you still get the benefit of increased protection from phishing every time that you use your passkey to sign into a website or app.
If you do keep your passwords alongside your passkeys for certain websites, make sure that all of your passwords are strong and unique: Use the password generator to change and strengthen your passwords
Let me know if you have any other questions.
-Dave
