Forum Discussion

JAC3467's avatar
JAC3467
Occasional Contributor
23 days ago
Solved

Passkeys in a compromised account

In today's (2/26) Wall Street Journal is an article about someone whose 1Password account was hacked via Github malware with the hacker gaining access to the poor guy's vault(s).  He did not have 2FA enabled for his 1Password account.  (Not sure about the secret key in this scenario?)  (Article titled: "A Disney Worker Downloaded An AI Tool.  It Led To A Hack That Ruined His Life."

In his 1Password account were credentials that included  2FA one-time codes.  There are some (me) who believe having a 2FA code in 1Password along with the username and password is a bad idea as if a compromise occurs, all the bits to get into an account are right there.  So I use an authenticator app for critical accounts.  Simple enough, second factor is someplace else, so bad guys need to do more work to get into an account.

But it got me thinking about passkeys.  I've done forum searches and other digging on this question, and I'm still not quite sure on the answer.  And that is, if, as in the above scenario, my 1Password account is compromised and a hacker gains access to my vaults with my credentials via a browser, do the passkeys stored in 1Password enable access to those accounts?  Or is there something about the passkey security model that prevents access in this scenario?

At this point I'm thinking the answer is yes as the private key is stored in 1Password - that's why the passkey works on all my devices. 

That said, the question remains.  I look forward to reading the answer.

 

 

 

 

discussion
  • 1P_Blake's avatar
    1P_Blake
    22 days ago

    Hey JAC3467! đź‘‹

    First, to address the core concern that some folks might have upon jumping into this thread: 1Password itself was not hacked. In this case, the attacker compromised the individual’s local device and intercepted their Account Password using a keylogger, which allowed them to log into 1Password. Once a device is compromised, an attacker can gain nearly unrestricted access.

    While enabling 2FA on your 1Password account is a great security measure, it would not have prevented this specific attack. 2FA on your 1Password account helps protect against unauthorized access from new or untrusted devices—but since the attacker was logging in from the victim’s already-authorized device, 2FA wouldn’t have applied in this scenario.

    To guard against attacks that exploit compromised devices, you should:

    • Ensure device integrity — keep your devices free from malware by installing security updates, enabling built-in security features, and using endpoint protection tools that actively detect and prevent threats.
    • Trust only verified sources — download software exclusively from trusted providers. Avoid unverified applications that could contain hidden malware.
    • Strengthen authentication for critical accounts —use phishing-resistant authentication methods like hardware security keys (e.g., YubiKey) or a separate authenticator app to reduce the risk of credential compromise.
    • Limit exposure from browser extensions — review and disable unnecessary or untrusted extensions, as they can introduce vulnerabilities that attackers may exploit.
  • oshloel's avatar
    oshloel
    New Contributor
    20 days ago
    psiberfunk wrote:

    What I DONT understand about this article is how the secret key didn’t serve as a second factor of sorts and how they exfiltrated the 1Password data .

    Exactly. The victim in this case sounds to be fairly sophisticated and knowledgeable from a technical standpoint, so what attack vector was used?

     About the only scenario I can think of is that he logged into his 1P ACCOUNT at 1P.com using his Secret Key & PW for some reason vs unlocking his local app using his pw rather than biometrics (I use touch ID on my Mac except when required to use my pw once a month or so).

    ...still looking for more specifics to assure that I don't have a similar open door... Hopefully, AgileBits is investigating and will provide a comprehensive blog post...

  • 1P_Blake's avatar
    1P_Blake
    Icon for Community Manager rankCommunity Manager
    22 days ago

    Hey JAC3467! đź‘‹

    First, to address the core concern that some folks might have upon jumping into this thread: 1Password itself was not hacked. In this case, the attacker compromised the individual’s local device and intercepted their Account Password using a keylogger, which allowed them to log into 1Password. Once a device is compromised, an attacker can gain nearly unrestricted access.

    While enabling 2FA on your 1Password account is a great security measure, it would not have prevented this specific attack. 2FA on your 1Password account helps protect against unauthorized access from new or untrusted devices—but since the attacker was logging in from the victim’s already-authorized device, 2FA wouldn’t have applied in this scenario.

    To guard against attacks that exploit compromised devices, you should:

    • Ensure device integrity — keep your devices free from malware by installing security updates, enabling built-in security features, and using endpoint protection tools that actively detect and prevent threats.
    • Trust only verified sources — download software exclusively from trusted providers. Avoid unverified applications that could contain hidden malware.
    • Strengthen authentication for critical accounts —use phishing-resistant authentication methods like hardware security keys (e.g., YubiKey) or a separate authenticator app to reduce the risk of credential compromise.
    • Limit exposure from browser extensions — review and disable unnecessary or untrusted extensions, as they can introduce vulnerabilities that attackers may exploit.
    • psiberfunk's avatar
      psiberfunk
      New Contributor
      22 days ago

      This is a decent enough reply, but it doesn't address 1Password's bizzare article where they claim to be taking all the steps and to always choose security.. but NOT to be implementing RASP techniques on Windows, where the protections are weakest and users most vulnerable.

      Other than having to pay a 3rd party , the excuses around usability fall flat as these types of solutions are transparent (other than sometimes being flagged as malware).  1P_Blake , would 1Password consider making this at least an optional extra security measure/layer that Windows users could turn on to help make 1Password more resistant to malware that DOES happen to infect a PC?  I understand it's not perfect, but RASP mechanisms to protect applications do exist

  • Vincent's avatar
    Vincent
    New Contributor
    23 days ago

    Anyone with remote access to your machine while 1Password is authenticated could result in stolen credentials via export or otherwise. Not much that could be done about this. Need better spyware protection on Windows.

    • psiberfunk's avatar
      psiberfunk
      New Contributor
      23 days ago

      Well, to some degree Windows offers lower inter-process protection and hardening than is available on other platforms like iOS/Android/MacOS.  1Password themselves even cites this.  They also cite that they could be doing in theory more programmatic hardening on windows but choose not to do the obfuscation because it sometimes makes things hard to debug (a bit of a cop-out IMO):  https://blog.1password.com/local-threats-device-protections/ 

      The article sounds sane but then ends with some pretty air-headed contradictory commentary "When security restrictions clash with convenience and we have to make choices, we’ll always choose to give your secrets the best fighting chance."  -- Except they explicitly disclaim making this choice in the prior paragraph:

      Runtime Application Self-Protection frameworks, for example, would allow us to make even root level attackers suffer. But these third-party products often have serious performance, reliability, and privacy considerations. The implications are serious enough that we’ve decided not to use them.

      Translation:  We arn't experts in DRM and malware style obfuscation of code, and we don't want to pay someone else to do it, because that would cost money and make debugging hard. 

      Such products exist and DO work to make attacker's lives hard, with relatively small or negligible performance hits most of the time.  The best of them do use more aggressive kernel drivers and such. Since they don't say what usability issues would be caused by using such tools, it feels like a bit of handwaving from a 1password on this product management perspective. Ultimately it could be compromised too, of course, but it's utterly ridiculous to then follow this up with we’ll always choose to give your secrets the best fighting chance, right after you've said that you made the opposite choice.

  • psiberfunk's avatar
    psiberfunk
    New Contributor
    23 days ago

    My understanding is also that passkeys would be compromised in this case .

     

    What I DONT understand about this article is how the secret key didn’t serve as a second factor of sorts and how they exfiltrated the 1Password data .  I suspect they didn’t login to it remotely (they would have needed the secret key to add a new device ,  which they were unlikely to get from a keylogger ), but instead got to the data via the unlocked 1Password app on the guy’s home computer .. in which case the second factor like a yubikey or Authenticator wouldn’t have saved him.. this article and others are lacking here on what precisely happened.