Protect what matters – even after you're gone. Make a plan for your digital legacy today.
You should prevent users to register a passkey for 1Password account with the 1Password app
My friend is using Bitwarden and we were talking about securing our password managers account with a passkey. I learned from him that Bitwarden prevent their users to register a passkey for their Bitwarden account (so when your are on the bitwarden website I guess) and I tried it on the 1Password website. As you can see I successfully registered both a TOTP and a passkey for my 1Password account and was able to easily (maybe too easily ??) store them in my 1Password vault. If your using 1Password as your main TOTP authenticator app for all your accounts, I guess having the 1Password TOTP inside 1Password is useful for quick access when you want to Set up a 2nd or 3rd device when you still have access to the 1st one. But it feels to me like this is dangerous and can lead to users being blocked out of their vault, and even more dangerous when doing this with a passkey. Am I wrong ? Thanks in advance for any insights in this !
How to Migrate 1Password Vaults to Bitwarden Folders (With Passkeys!) using iOS 26 CXP
I just finished migrating my credentials from 1Password to a fresh Bitwarden setup, and I wanted to share a workaround for a major pain point regarding vault organization and Passkeys. Those who used 1Password v7 will remember that exporting by vault was standard. In v8, this has been reduced to an "all-at-once" account export. If you want to maintain your organization during a move, this creates a mess. The Challenge: Maintaining Structure If you have multiple vaults (Work, Personal, Shared, etc.) and want them to land in specific Bitwarden Folders, an "all-at-once" export creates a massive, unorganized pile. Plus, standard file exports (CSV/1PUX) usually break Passkeys. The Solution: The "Single-Vault Pipeline" (iOS 26 CXP) By using the newly introduced Credential Exchange Protocol (CXP) on iOS 26, you can move your data app-to-app, vault-by-vault, and keep your Passkeys intact. (Note: I used a 1Password Family account and a free Bitwarden account for this). The Migration Manual: Prep 1Password (Web Browser) Log into 1Password.com on a desktop. Go to Manage Account > People > Select your account > Manage Vaults. The Trick: Deselect all vaults until only one is left visible to your user. Now, your mobile app will only "see" that specific vault. The CXP Transfer (iOS Device) Open the 1Password app on your iPhone/iPad. Navigate to Settings > Advanced > Start Export. Enter your account name (there is a hint at the bottom) and approve. Select Bitwarden as the destination. It will open Bitwarden and securely transfer everything from that one visible vault—including Passkeys and TOTP seeds. Assign to Folders (Bitwarden Desktop) Open the Bitwarden Web Vault on your computer. Click on "No Folder" (this shows all the items you just imported that don't have a folder assignment). Click the "Select All" checkbox at the top. Click the three dots (⋮) above the list > Add to Folder. (Note: You’ll need to create the folder first by pressing the + New button). Rinse and Repeat Go back to the 1Password web interface. Deselect the vault you just finished and select the next one. Repeat the iOS export. Because Bitwarden treats these as new "unassigned" items, you can neatly move the next batch into the correct folder. Why this is the optimal way: Passkeys & 2FA: Unlike file exports, CXP moves the actual cryptographic keys for Passkeys and your TOTP seeds. Shared Protocol: Because it uses a modern exchange protocol, misc info and custom fields transfer much more accurately than a messy CSV. Organization: You don't have to manually sort 1,000 items at once. You do it in controlled, vault-to-folder chunks. Hope this helps someone else stuck in the migration process!
Invalid pop-up asking for a passkey
I'm on macOS 26 using the Safari web browser. Every time I go to chase.com, (and a few other web sites) 1Password presents the following pop-up. As far as I can tell, searching through chase.com's security settings, they do not yet support passkeys. My 1Password entry for chase.com does not give me the banner that chase.com supports passkeys, offering for me to use passkeys. How do I get 1Password to stop presenting this dialogue for websites that do not support passkeys?
Can not create passkey for an existing account
Right now can I not create a passkey for an existing Facebook account. I use 1Password for Windows 8.12.4, with the Windows 11 integration to manage keys with 1Password, and 1Password for Android 8.12.4. If I try to make a passkey with the Microsoft Edge browser in Windows 11 do the passkey creation end with the failure "it was not possible to store the passkey". If I instead try to make a passkey in the mobile do the existing Facebook account not show up in the list of accounts, but instead some other existing accounts, when I am asked for in which account I want to store the new passkey. The only alternative I have is to store the passkey in a new account. When I did that did I notice that the new account were associated with the URL https://accounts.meta.com while I only had the URL https://www.facebook.com for that account, so I removed the new account and added the first URL also to the existing account, but that did not solve the problem. This has worked before in Windows before the new Windows 11 integration, but it do not work in the mobile either so it may not be because of the Windows 11 integration. Something must have caused this to not work any longer, and I unfortunately do not have more information about it to share except for this.
FIDO passkey Cross-Device Authentication (CDA)
I try to understand how I can login to eg a web site with passkeys on a device where I do not have the keys in any way. A practical use case example to explain: I have an account at LinkedIn. I have added a passkey in 1Password for LinkedIn. I go to a laptop where I do not have any passkey stored, nor 1Password installed (for example if I visit a friend). My testing is done on Linux laptop (LMDE 7). Two separate questions: On Firefox, I cannot find any option to choose Cross-Device Authentification. Is it because this function is not implemented in Firefox, or am I doing anything wrong? On Chromium I can right click in the e-mail box and get a meny where I indeed can choose Cross-Device Authentification, a QR code is shown up. I then open my Android phone (/e/OS "de-googled OS"). But I cannot find any procedure inside 1Password or any other method to scan that QR code and login with the Cross-Device Authentification method stored in 1Password. Should it work? Reference: Passkeys FAQ at https://fidoalliance.org/passkeys/
Prefer passkey when using autofill (don't fill the password)
When a passkey has been properly configured for a site, this should be the preferred way to login. (or at least configurable per site) e.g. on Amazon 1Password still fills the email, then the password and the OTP -> the preferred way is email + passkey + OTP.[Feature Request] Allow OTP and Passkeys Only from Mobile Device
I would like to request a security-focused feature related to both passkeys and OTP codes. My goal is to enforce a workflow where passkeys and OTP codes can only be approved from my mobile device, even when I initiate login from a desktop browser. What I’m requesting: Mobile approval required for Passkeys When logging into a website from my desktop, instead of immediately completing the login after unlocking 1Password, I would like a push-style approval request on my mobile device. The login should only proceed after I explicitly approve it on my phone. Mobile approval required for OTP autofill When a site asks for a 2FA OTP code, the desktop extension should not immediately reveal or autofill the OTP. Instead, the OTP should only be: Visible on the mobile device Auto-filled on desktop only after I approve it from the phone Optional “OTP visible only on mobile” mode An additional security setting where OTP codes are never displayed on desktop at all. The mobile device would act as the secure second factor, and desktop would only receive the code after explicit approval. Why this matters Currently, unlocking 1Password on desktop (with password or biometrics) immediately grants access to passkeys and OTPs. While secure, this behaves similarly to password autofill from a user-experience perspective. What I’m looking for is a stricter security model where: Desktop acts as the request origin Mobile acts as the approval authority This would provide stronger separation between the device initiating the login and the device authorizing it — similar to how some authenticator apps handle push-based approvals. It would significantly improve confidence when using passkeys and OTPs for sensitive accounts. Is something like this planned or under consideration? Thanks!
