Suggestion for Passkey only access on new device, no existing device access needed

Hello mike48397289! 👋

Thank you for helping us test passkey unlock for 1Password through our public beta!

The recovery code does not serve the same purpose that the Secret Key does in traditional 1Password accounts. For traditional accounts, you'll always need both your account password and Secret Key to add your 1Password account to a new device. The recovery code, on the other hand, is an emergency feature for passkey unlock accounts that is only used if you've lost access to either your passkey or all of your trusted devices.

The recovery code is not something that you'll use normally to add your account to a new device and hopefully it's something that you'll never need to use. I recommend that you save your passkey in a safe place, like iCloud Keychain, where it will be encrypted, backed up to your Apple account, and synced to all of your Apple devices. I also suggest that you add as many trusted devices to your 1Password account as you can to avoid being locked out.

Your passkey authenticates you to the 1Password server which then sends a notification to all of your existing trusted devices. Your trusted devices will then ask you if you'd like to setup a new device, if you provide confirmation then the keys to unlock your account are sent to your new device via an end-to-end encrypted tunnel from that existing trusted device. While the passkey authenticates you to our server, it is the keys from your trusted device that allow you to decrypt your account data on the new device.

Without the keys from an existing trusted device you wouldn't be able to decrypt your items. You can read more about the security of passkey unlock here: About the security of unlocking 1Password with a passkey

When access to a new device is needed in the absense of an exiting device, the recovery server can be accessed by passkey. I assume that zero knowledge by 1password of the passkeys will not be possible (or this whole problem would not exist) - but this isnt an issue becuase the best 1password could see is the recovery key and not know which account it applies to.

In the scenerio that you've described, passkeys would only help to authenticate your 1Password account, decryption of your data would still require keys from one of your existing trusted devices.

In emergency situations, where you've lost either the passkey or all of your trusted devices, cryptographic recovery of your account requires the recovery code (and identity verification using your email address). If we stored your recovery code on 1Password servers and protected it only via authentication using your passkey, and not end-to-end encryption, this would make the recovery code (and your data) theoretically accessible to an attacker who breached our servers.

The current architecture, with trusted devices and a recovery code that you protect yourself, is designed so that we here at 1Password can never access the information stored in your account. This zero-knowledge architecture is vital to protect your data from both attackers and from 1Password itself: 1Password Zero-Knowledge Encryption Protects Your Sensitive Data

In summary: in almost all cases you'll use your passkey and an existing trusted device to add your 1Password account to a new device. If you lose your passkey and all of your trusted devices then you can use your recovery key (which should be stored somewhere secure like a personal safe) and your email address to recover access.

I hope that helps! 🙂

-Dave