Hello, I wasn't sure where to post this; so, please move this thread to an appropriate place if needed. After the recent update, I am now experimenting with the passkey function of 1Password. I've read many articles but I still not 100% sure how this works in real life, and where 1Password fits in. As my first foray into this, I enabled Passkey on one of the websites, using the Windows app of 1Password. I see that it now created a "passkey" entry in the program. I have two issues: It still left the password / mfa entries alone, both in 1Password and the website. I am assuming that it's now safe to remove the password / mfa? Is this recommended? I then used my phone to go to the same website, thinking that 1Password somehow will be sync'ing this same passkey to my phone for me to "use". However, I am not sure how this sync'ing is supposed to work. How does the website know that I have this passkey? For instance, when I tried logging in using "Passkey", it says something like "Your device is not registered". Does this mean I have to repeat the same procedure for each device? I think I understand passkey better as a concept than how it works in real life. I am a bit more concerned about #2 above, as I would not be able to to "copy and paste" the passkey (haha) the same way I would with passwords. This makes sense except that I shudder to think that I need to create a passkey for each device I have. Any guidance would be much appreciated. 1Password Version: Not Provided Extension Version: Not Provided OS Version: Not Provided Browser: Not Provided

Just following up on this. I am especially curious about the situation #2. Thank you.

Excellent thread. I am also exploring transitioning from passwords, and some 2FA where warranted, to Passkeys. Read and viewed numerous articles/ videos on Passkeys. It all makes sense and looks very similar to a Public Key Infrastructure system implemented way back in 2006 at my employer. It all makes sense and seems real simple until you run into the great world we all, or most of us, live in. Our home environment is a Windows desktop, a Windows Laptop, a Pixel 7 and 1Password. My wife also uses the two Windows devices and has her own Pixel 6. I keep the SW as up to date as possible. This creates all sorts of anxiety when she is confronted with "transparent SW changes". The later is a great source of concern as she struggled with 2FA for banking/Credit Card accounts. So what is missing is a simple, if possible, tutorial/article on setting up Passkeys for one app that is accessed from Windows (2 devices), and a cellphone. A few pointers on the need for Biometric authentication, and what happens if this is not available on one or more devices. If I understand everything I've read, a separate Passkey (device registration) will be required for each device and will be linked to the account. I believe this is required to login to an account with passkeys from each device without requiring a separate device to "authenticate". Pardon me for not having the terminology correct as I'm sure some of what I've written is not using the correct terminology. BTW: Seems to me each Vendor playing in the Passkey space (Google, Microsoft, and 1Password) include some product sales/marketing in their user help/tutorials and this does help confuse it for us great unwashed. BTW2: Given my "tech support" role in our house, it strikes me one of the impediments to Passkey implementation is the level of technical information that is being provided/needed to use Passkeys. Suspect this is required due to the implementation/adoption phase of Passkeys. Thanks for opening this thread, it captures my issues perfectly.

Agreed: "A simple, if possible, tutorial/article on setting up Passkeys for one app that is accessed from Windows (2 devices), and a cellphone." Passwords are so important that using a different process without a clear understanding is beyond a concern.

This post captures my questions perfectly as I just created my first few passkeys this week. We need strategies in general as most of us now have a PW, passkey, and 2FA set up. We need advice on removing unneeded items to create a safe login while leaving a minimal set of attack vectors in place. I'm going to pile on my questions, hoping that others see them and respond, 1) One of the things I have in the back of my mind is if some of the advice would be based on how passkeys were implemented on the different web sites. Is this assumption correct? 2) When I was researching hardware devices, it was mentioned that a backup plan was necessary if the hardware was lost. I believe the advice was to set up 2 hardware devices in case you lost one so you could at least login and remove the 1st device. In the instance of using 1password, I would not think that would be necessary as you have software copies of the passkeys on multiple devices. I would like this advice to be validated per the second comment from the OP, who received the "Your device is not registered" message. I would think that a passkey is a passkey regardless of the device the client is using. My other thought on this is that the message the OP received above was sent due to a web site specific validation which might have been outside of the protocol used for the validation of passkeys. (I do believe that one web site gave me a recovery key to be used but I'm going from memory on that one and just want to focus on getting these questions posted for now) 3) I share a few accounts with my kids (now adults), one who has their own 1password account, and one who does not. I typically share a 1password link with the kid who has 1password and life is good. I've done this when creating OTP's and would assume the passkeys would migrate over too. Am I Correct on this assumption? 4) With the kid that doesn't use 1password, I managed to get him set up such that he uses a 3rd party app with the OTP key that I originally created with 1password. My kid who uses 1password quickly saw the value of it, but I'm still working on the other kid to start using it instead of using scraps of paper. Is there a way to export a passkey so that kid can temporarily use passkeys with a 3rd party app during the interim period? Thanks in advance for any responses? Fredrick (Rick) Apel

Hello Community Members, Thank you for your insightful discussions regarding the passkey function in 1Password. Let's address the queries: For lodaka: When you enable passkey for a website, it's advisable to keep the original password/MFA entries until you're certain the Passkey works seamlessly across all devices and situations. Once confident, you can consider removing the old credentials. Regarding the "Your device is not registered" message: Passkeys can be of two types: single-device credentials and multi-device credentials. Single-device credentials, like a YubiKey, are specific to one device. They can only be validated on the device where they were initiated. This means if you set up a passkey of this type on one device, other devices won't recognize it. On the other hand, many in the industry, such as Apple and 1Password, are moving towards multi-device credentials. These passkeys can be synced across different devices. So, even if you establish a passkey on one device, it can be recognized and utilized on another. However, it's important to note that if you're using an Android phone, passkey functionality is not yet supported. Google is actively developing Android 14, which will introduce APIs allowing password managers like 1Password to create and utilize passkeys within Chrome and other supported apps. Once these APIs become available, 1Password is poised to offer support, enabling more seamless passkey use across Android 14 devices. To rickapel: Yes, the implementation of passkeys might slightly differ depending on the website's infrastructure and security protocols. Ideally, a passkey should be device-independent. The message lodaka received could be from an additional security layer added by the website. Sharing passkeys within 1Password's family plan functions similarly to sharing any other data type. If you share a link or vault with another 1Password user, they should gain access. At this stage, you cannot import or export passkeys. We’re working closely with platform vendors and other password managers through the FIDO Alliance to create a secure way to import and export passkeys. We believe it’s your choice where to store and use your passkeys. Hopefully we’ll have more to share soon. For GolferWHH: Creating a step-by-step tutorial for setting up passkeys across various devices sounds invaluable. Ensuring users transition smoothly to new security measures is a priority. At the moment we have this support guide to help you get started with passkeys: Save and sign in with passkeys in your browser For wlclev42: Absolutely agreed. Transitioning from traditional passwords to passkeys is a significant shift, and understanding this new procedure is paramount. We're on it. In essence, we're evolving alongside advancements in the security realm, ensuring 1Password remains a reliable guardian of your digital life. Your feedback propels us forward, and we thank you for your patience and insights.

lodaka

Frequent Contributor

2 years ago

Passkey implementation and usage

Hello, I wasn't sure where to post this; so, please move this thread to an appropriate place if needed.

After the recent update, I am now experimenting with the passkey function of 1Password. I've read many articles but I still not 100% sure how this works in real life, and where 1Password fits in.

As my first foray into this, I enabled Passkey on one of the websites, using the Windows app of 1Password. I see that it now created a "passkey" entry in the program. I have two issues:

It still left the password / mfa entries alone, both in 1Password and the website. I am assuming that it's now safe to remove the password / mfa? Is this recommended?
I then used my phone to go to the same website, thinking that 1Password somehow will be sync'ing this same passkey to my phone for me to "use". However, I am not sure how this sync'ing is supposed to work. How does the website know that I have this passkey? For instance, when I tried logging in using "Passkey", it says something like "Your device is not registered". Does this mean I have to repeat the same procedure for each device?

I think I understand passkey better as a concept than how it works in real life. I am a bit more concerned about #2 above, as I would not be able to to "copy and paste" the passkey (haha) the same way I would with passwords. This makes sense except that I shudder to think that I need to create a passkey for each device I have.

Any guidance would be much appreciated.

1Password Version: Not Provided
Extension Version: Not Provided
OS Version: Not Provided
Browser: Not Provided

android

14 Replies

wlclev42
New Contributor
2 years ago
Agreed: "A simple, if possible, tutorial/article on setting up Passkeys for one app that is accessed from Windows (2 devices), and a cellphone." Passwords are so important that using a different process without a clear understanding is beyond a concern.
GolferWHH
Occasional Contributor
2 years ago
Excellent thread. I am also exploring transitioning from passwords, and some 2FA where warranted, to Passkeys.

Read and viewed numerous articles/ videos on Passkeys. It all makes sense and looks very similar to a Public Key Infrastructure system implemented way back in 2006 at my employer. It all makes sense and seems real simple until you run into the great world we all, or most of us, live in.

Our home environment is a Windows desktop, a Windows Laptop, a Pixel 7 and 1Password. My wife also uses the two Windows devices and has her own Pixel 6. I keep the SW as up to date as possible. This creates all sorts of anxiety when she is confronted with "transparent SW changes". The later is a great source of concern as she struggled with 2FA for banking/Credit Card accounts.

So what is missing is a simple, if possible, tutorial/article on setting up Passkeys for one app that is accessed from Windows (2 devices), and a cellphone. A few pointers on the need for Biometric authentication, and what happens if this is not available on one or more devices.

If I understand everything I've read, a separate Passkey (device registration) will be required for each device and will be linked to the account. I believe this is required to login to an account with passkeys from each device without requiring a separate device to "authenticate". Pardon me for not having the terminology correct as I'm sure some of what I've written is not using the correct terminology.

BTW: Seems to me each Vendor playing in the Passkey space (Google, Microsoft, and 1Password) include some product sales/marketing in their user help/tutorials and this does help confuse it for us great unwashed.

BTW2: Given my "tech support" role in our house, it strikes me one of the impediments to Passkey implementation is the level of technical information that is being provided/needed to use Passkeys. Suspect this is required due to the implementation/adoption phase of Passkeys.

Thanks for opening this thread, it captures my issues perfectly.
rickapel
Occasional Contributor
2 years ago
This post captures my questions perfectly as I just created my first few passkeys this week. We need strategies in general as most of us now have a PW, passkey, and 2FA set up. We need advice on removing unneeded items to create a safe login while leaving a minimal set of attack vectors in place. I'm going to pile on my questions, hoping that others see them and respond,

1) One of the things I have in the back of my mind is if some of the advice would be based on how passkeys were implemented on the different web sites. Is this assumption correct?

2) When I was researching hardware devices, it was mentioned that a backup plan was necessary if the hardware was lost. I believe the advice was to set up 2 hardware devices in case you lost one so you could at least login and remove the 1st device.

In the instance of using 1password, I would not think that would be necessary as you have software copies of the passkeys on multiple devices. I would like this advice to be validated per the second comment from the OP, who received the "Your device is not registered" message.

I would think that a passkey is a passkey regardless of the device the client is using. My other thought on this is that the message the OP received above was sent due to a web site specific validation which might have been outside of the protocol used for the validation of passkeys.

(I do believe that one web site gave me a recovery key to be used but I'm going from memory on that one and just want to focus on getting these questions posted for now)

3) I share a few accounts with my kids (now adults), one who has their own 1password account, and one who does not.
I typically share a 1password link with the kid who has 1password and life is good. I've done this when creating OTP's and would assume the passkeys would migrate over too. Am I Correct on this assumption?

4) With the kid that doesn't use 1password, I managed to get him set up such that he uses a 3rd party app with the OTP key that I originally created with 1password. My kid who uses 1password quickly saw the value of it, but I'm still working on the other kid to start using it instead of using scraps of paper. Is there a way to export a passkey so that kid can temporarily use passkeys with a 3rd party app during the interim period?

Thanks in advance for any responses?
Fredrick (Rick) Apel
lodaka
Frequent Contributor
2 years ago
Just following up on this. I am especially curious about the situation #2. Thank you.

Forum Discussion

Passkey implementation and usage

14 Replies

Recent Discussions

Personal Favorites on a Family Plan

MS Edge v. 1Password

Native Password AutoFill Extension macOS

1Password for Safari barely functional in OS15.6.1 and Safari 18.6 Intel

clicking in the field on 1PW icon to unlock and it disappears