Passkey caching setting

Hello folks,

I'm sorry for the confusion. One of the goals of 1Password, and password managers in general, is to avoid revealing any information about the items that you store in 1Password when 1Password is locked. It's why, when you lock 1Password, everything that you store in 1Password is encrypted locally. Because of this security architecture, there is no way for the browser extension to know whether you have a passkey saved for a specific site when 1Password is locked. This can create a clunky user experience where you're prompted to unlock 1Password when a site requests a passkey that does not exist in 1Password.

The "Allow caching passkey IDs in local storage" feature caches hashed passkey credential IDs in your browser's local storage. This allows the extension to "know" that you have a passkey saved for a particular website even if 1Password is locked so that you can be prompted to unlock 1Password and sign in. The actual passkey itself remains encrypted.

The threat model to consider is local attackers. Code running on your local system, such as malware, could potentially see the cached passkey credentials IDs. As mentioned, your actual passkeys are still encrypted but the following could be found out by a local attacker on your system:

• The number of passkeys saved in 1Password.
• If any websites that you use store passkey credential IDs locally, such as in session storage or cookies, then an attacker could correlate credential IDs in those files with the cached credential IDs from 1Password to learn that you're storing a passkey for that specific website in 1Password.

I can definitely see how the description could be made clearer and I've passed your feedback along to the team internally. I've also filed an issue to have documentation about this feature added to our website.

-Dave

ref: dev/web/support.1password.com#4560
ref: PB-42242802