Protect what matters – even after you're gone. Make a plan for your digital legacy today.
Forum Discussion
Suggestion for Passkey only access on new device, no existing device access needed
After using the new beta access, I like it but I am concerend that the recovery key not needs storage just like the secret key. It also then needs to be sent to the email address which creates a phishing and access problem
I have two suggestions - the first is for completelness and I am sure it will be thrown out, (academically I'd like to hear the argument why the first wont work but intuition says it wont). The second I am confident will work.
Keep the recovery key stored with every passkey.
If the passkey standard does not allow this then append it to the username or other field that allows it. This might invalidate all existing passkeys should be changed in future (desireable? not sure)Create a recovery key storage server.
These accounts are accessed by passkeys only. This server and accounts are independent from the 1P main accounts. The user can only store recovery keys/credentials there. Crucially recovery account will never store the main account username or email address or anything connected to the main account. The user will be able to nickname multiple recovery keys to help them remember which is which. The user will be discouraged from entering data that identifies the main account. When access to a new device is needed in the absense of an exiting device, the recovery server can be accessed by passkey. I assume that zero knowledge by 1password of the passkeys will not be possible (or this whole problem would not exist) - but this isnt an issue becuase the best 1password could see is the recovery key and not know which account it applies to. There would need to be an audited of logging etc to prevent this connection to main account being made. No email would be sent to the users email therefore meaning no phishing, snooping etc is possible
The second option allows a hardware key to have 100% passkey only access to any vault. It needs a passkey for the main vault and a passkey for new device recovery vault. The user would only need to remember their email address during the recovery process so the recovery can be applied to the correct account. (although maybe some clever programming could even take an email address from the other passkey?). Other than for connecting the recovery account to the main account (during recovery only) the email address otherwise not used
PS - the way a new device is currently implmented this looks amazing. I'd suggest using this for the current secret keys too as it makes more sense for those. Also generating random codes that are longer but not mix of caps/non caps would be easier to type inn. Apha numeric (and longer) are much quicker in my mind
1Password Version: Not Provided
Extension Version: Not Provided
OS Version: Not Provided
Browser: Not Provided
2 Replies
Thank you 1P_Dave for your reply. Maybe my somewhat long initial message missed the important starting point
It should be possible to login from scratch using a passkey on a yubikey etc with no other device required. The current implementation doesn't permit this. Worse still it requires access to your email which ideally will have that password/OTP/passkey stored in 1password, but you won't have access to that. It's very circular and will result on people getting locked out unnecessarily.
The user needs to carry a copy of the recovery code and email credentials outside of the password manager. This is hard to do securely which is why we use password managers
I'm very disappointed with this implementation because it somewhat undermines the whole point of a password manager.
- 1P_Dave
Moderator
Hello mike48397289! 👋
Thank you for helping us test passkey unlock for 1Password through our public beta!
The recovery code does not serve the same purpose that the Secret Key does in traditional 1Password accounts. For traditional accounts, you'll always need both your account password and Secret Key to add your 1Password account to a new device. The recovery code, on the other hand, is an emergency feature for passkey unlock accounts that is only used if you've lost access to either your passkey or all of your trusted devices.
The recovery code is not something that you'll use normally to add your account to a new device and hopefully it's something that you'll never need to use. I recommend that you save your passkey in a safe place, like iCloud Keychain, where it will be encrypted, backed up to your Apple account, and synced to all of your Apple devices. I also suggest that you add as many trusted devices to your 1Password account as you can to avoid being locked out.
Your passkey authenticates you to the 1Password server which then sends a notification to all of your existing trusted devices. Your trusted devices will then ask you if you'd like to setup a new device, if you provide confirmation then the keys to unlock your account are sent to your new device via an end-to-end encrypted tunnel from that existing trusted device. While the passkey authenticates you to our server, it is the keys from your trusted device that allow you to decrypt your account data on the new device.
Without the keys from an existing trusted device you wouldn't be able to decrypt your items. You can read more about the security of passkey unlock here: About the security of unlocking 1Password with a passkey
When access to a new device is needed in the absense of an exiting device, the recovery server can be accessed by passkey. I assume that zero knowledge by 1password of the passkeys will not be possible (or this whole problem would not exist) - but this isnt an issue becuase the best 1password could see is the recovery key and not know which account it applies to.
In the scenerio that you've described, passkeys would only help to authenticate your 1Password account, decryption of your data would still require keys from one of your existing trusted devices.
In emergency situations, where you've lost either the passkey or all of your trusted devices, cryptographic recovery of your account requires the recovery code (and identity verification using your email address). If we stored your recovery code on 1Password servers and protected it only via authentication using your passkey, and not end-to-end encryption, this would make the recovery code (and your data) theoretically accessible to an attacker who breached our servers.
The current architecture, with trusted devices and a recovery code that you protect yourself, is designed so that we here at 1Password can never access the information stored in your account. This zero-knowledge architecture is vital to protect your data from both attackers and from 1Password itself: 1Password Zero-Knowledge Encryption Protects Your Sensitive Data
In summary: in almost all cases you'll use your passkey and an existing trusted device to add your 1Password account to a new device. If you lose your passkey and all of your trusted devices then you can use your recovery key (which should be stored somewhere secure like a personal safe) and your email address to recover access.
I hope that helps! 🙂
-Dave
