In this blog post, it shows how we can log into 1Password without a password, and using our biometrics/device. Correct me if I am wrong... So the Passkey for my 1Password account is tired to my iPhone (assuming in the passkey area of my iPhone). With the issue of people having their iPhone stolen and they are locked out, is this a bad idea? If someone gets my iPhone, has my passcode for my iPhone, wouldn't the attacker have access to my 1Password then? I know the work around to protect my iPhone, but not all do this. my iPhone password is also alphanumeric, not just 6 digits. 1Password Version: Not Provided Extension Version: Not Provided OS Version: Not Provided Browser:_ Not Provided

Hello prime! 👋 I'm sorry for missing your post and I'm happy to respond to some of your concerns. Folks will soon be able to unlock their 1Password account with a passkey instead of a Secret Key and account password – this removes the need to remember a strong and unique password. Customers can add trusted devices to sign in to their account using the same passkey. As with account passwords, inside 1Password isn’t a good place to keep the passkey for 1Password. Instead, we’ll rely on solutions – such as iCloud Keychain – provided by platform vendors, to sync and sign in to 1Password itself with passkeys. We're bringing forward this innovation as a way to better protect your data. Unlike passwords, you can’t create a weak passkey. Passkeys are generated by your device using a public-private key pair, which makes them strong and unique by default. Passkeys can’t be phished like a traditional password – this makes them resistant to social engineering scams. The attack that you mentioned would require that a malicious actor has access to both your physical device as well as that device's passcode. To help guard against such an attack I recommend that you: Use Face ID or Touch ID to unlock your device when in public so that eavesdroppers can't spy on you entering your device passcode. Set a strong passcode, you don't need to use a simple PIN but can choose a strong custom alphanumeric code: Set a passcode on iPhone - Apple Support (CA) When passkey unlock is introduced for 1Password accounts, it will be an option and not the only way to use 1Password. If your personal threat model requires that you stick with an account password and Secret Key to unlock 1Password then you'll be able to do so. I hope that helps! 🙂 -Dave [edit: Spelling and grammar]

I think that it is very concerning that Apple's implementation of passkeys authentication in iOS falls back to Passcode after a few failed attempts using FaceID / TouchID. While having a complex Passcode and using these biometrics to unlock the iPhone reduces the risk of being a victim through shoulder surfing, it doesn't help when muggers coerce a person to hand over their iPhone and to reveal their Passcode at knifepoint. This is happening nowadays, where muggers use the Passcode to log the victim out of other Apple devices they might have and change their Apple ID password. And now with Passkeys, they can also authenticate into any services which the victim has configured to sign into using Apple passkeys. For that reason, I consider very risky to configure 1Password to be unlocked using Passkeys on iOS. I know this it not mandatory as you wrote, 1P_Dave, but I think that most iOS users are probably not aware of this risk, and 1Password could probably highlight it. Also, Apple really should, in my opinion, give iPhone users the option to specify that they don't want to allow the Passcode to be used to authenticate Passkeys (and also not to allow it to be used to change the Apple ID password). Any thoughts on this, 1P_Dave?

Would be prompted for appleid email (assume they know this and enter it) All the person has to do is open the email app and look for emails sent by Apple. I’m not as worried, my passcode is over 15 characters long and if Face ID fails and I have to put it in, I do it so no one can see me. I’m more worried about my parents, in-laws, kids, and others who just use a 6 digit PIN for their iPhone password after I tell them it’s not a good idea.

Just a minor correction to avoid confusion: the correct word here is "passcode You can configure a passcode to be a custom alphanumeric code. That’s more like a password and you don’t have to reuse it anywhere else.

I was about to email mailto:passwordless@1password.com about this. Glad prime brought it up. I've been following 1Password's passkeys blog/emails since last year, and throughout that time, this issue was not clear to me. I concur with @luisneto's suggestion to 1P_Dave that 1Password should highlight this shortcoming in Apple's security envelope, as it related to securing our vaults. 1P_Dave, is there no way for 1Password to serve as the "hardware" on Apple devices, rather than simply the storage for the passkey? I trust 1Password any day over Apple's "masses over security" approach. I've been telling people to refrain from using passkeys until there's clarification on this, so it's good to know. Apple's glib responses to WSJ articles have been concerning. Their most recent security additions show where their focus lies (with careless rather than responsible users): "Recovery Key," like passwords, can also be changed (and enabled) with the passcode and makes it nearly impossible for theft victims to access their accounts. "Account Recovery Contact," helps people who forget their password and passcode, by allowing them to request a code from a trusted contact. If this is at all unclear to us, the beta-using technophiles on your forums, I think it's unlikely that everyday users will spare 1Password blame when Apple's poor policies get them locked out of their account, and suddenly they lose everything in their 1Password vault also.

Passkey and unlocking 1Password with it (biometrics) in iPhones

22 Replies

XIII
Super Contributor
3 years ago

Just a minor correction to avoid confusion: the correct word here is "passcode

You can configure a passcode to be a custom alphanumeric code.

That’s more like a password and you don’t have to reuse it anywhere else.
Former Member
3 years ago

my iPhone password
Just a minor correction to avoid confusion: the correct word here is "passcode" 🙂

Indeed, we all know that we shouldn't be using the same password across services, so that if a password is leaked, the attacker can't get into other services/apps.
And yet, unfortunately, nowadays the iPhone Passcode is like a password reused in various places.
prime
Dedicated Contributor
3 years ago
XIII

my 1Password account, since that passkey will have to reside in iCloud Keychain

And that’s my original point. If it’s in iCloud and someone, somehow saw my iPhone password to get into it, they will have access to my 1Password if they take my iPhone (like in the links in my original post).
XIII
Super Contributor
3 years ago
1P_Dave No need to convince me about passkeys; I’m going to use them everywhere I can (and stored in 1Password).

With possibly 1 exception: my 1Password account, since that passkey will have to reside in iCloud Keychain. While the chance is small that I lose my iPhone, iPad, and MacBook in the same event, it is not zero. A passkey would still be my preferred way of logging in to 1Password, but I would like to have an analog backup (like the current Rescue Kit).
Former Member
3 years ago
I think that it is very concerning that Apple's implementation of passkeys authentication in iOS falls back to Passcode after a few failed attempts using FaceID / TouchID.

While having a complex Passcode and using these biometrics to unlock the iPhone reduces the risk of being a victim through shoulder surfing, it doesn't help when muggers coerce a person to hand over their iPhone and to reveal their Passcode at knifepoint.
This is happening nowadays, where muggers use the Passcode to log the victim out of other Apple devices they might have and change their Apple ID password.

And now with Passkeys, they can also authenticate into any services which the victim has configured to sign into using Apple passkeys.

For that reason, I consider very risky to configure 1Password to be unlocked using Passkeys on iOS. I know this it not mandatory as you wrote, 1P_Dave, but I think that most iOS users are probably not aware of this risk, and 1Password could probably highlight it.

Also, Apple really should, in my opinion, give iPhone users the option to specify that they don't want to allow the Passcode to be used to authenticate Passkeys (and also not to allow it to be used to change the Apple ID password).

Any thoughts on this, 1P_Dave?
bugwhat
Super Contributor
3 years ago
To answer the way above question.
Does anyone know whether a hardware key with apple 2FA prevents reseting Apple ID with just a trusted device?
I know this is off topic, but to answer your question.
If you lose both keys–or they’re stolen, broken, or destroyed–you can still rely on trusted devices to regain account access or remove keys and enroll new ones. However, if you can’t use your security keys and lose access to all trusted devices, your Apple ID account will likely be unavailable forever.
Former Member
3 years ago
If I do the following:

Lock my phone while 1password is unlocked and running in the background.

Block my face and unlock my phone using the passcode.

Reset Face ID using the passcode.

Set up Face ID.

Bring 1password to the foreground

1password is still unlocked.

Do I have something configured incorrectly or is there a way to force 1password to lock when I unlock the phone using the passcode?

OK, I think I figured out how to make this work.

It looks like 1password "Auto-lock on Exit" needs to be set to Immediately.

1P_Dave Does this sound correct?
1P_Dave
Moderator
3 years ago
XIII

Passkeys can provide the same level of security as password + two-factor authentication, with a lot less friction. It isn’t necessary to use a separate multi-factor authentication solution on top of a passkey. Passkeys cannot be remotely phished, socially engineered, or leaked. Those are the threats that two-factor authentication was designed to protect against.

If you'd like to continue using an account password, Secret Key, and your security key then you'll be able to continue to do so rather than using a passkey to unlock 1Password.

-Dave
XIII
Super Contributor
3 years ago
Will I be able to use both a passkey and a (physical) security key (back up) to unlock my 1Password account?
prime
Dedicated Contributor
3 years ago
1P_Dave

The attack that you mentioned would require that a malicious actor has access to both your physical device as well as that device's passcode.

That’s my concern. Let’s say I had a 6 digit pin and someone saw me put that in, and then took my phone. The attacker had my phone, my 6 digit PIN, so wouldn’t he have access to my passkey that unlocks 1Password and able to get into my 1Password? I feel like my iPhones password is now weak link in this new set up.

I have a long alphanumeric password, but then again, in the new passkey set up, that’s protecting my 1Password.

Forum Discussion

Passkey and unlocking 1Password with it (biometrics) in iPhones

22 Replies

Featured discussions

September at 1Password: Browser versions, enhanced security, and new integrations

Recent discussions

Tahoe - biometrics sensors have been locked out

Package manager support on arm64 Linux distributions

Trouble with passkey and Safari

Incorrect accent colour on Windows

Please update the Windows Tray Icon