(Credit: Getty Images/Andriy Onufriyenko)
Sometime this summer, people signing up for the 1Password password manager won’t need to remember one especially critical and complex alphanumeric string—the master password that service requires today.
The Toronto company announced Thursday that it will instead invite customers to create and unlock an account with passkeys—complex and unique tokens generated on a biometrically secured device that only work in physical proximity to the computer hosting the login attempt.
Apple, Google, and Microsoft jointly announced support for this open authentication standard last May, but a password manager offering passkeys as a primary authentication system is a major step forward.
“In 2022, it was rare that a month went by without a high-profile social, identity, or security service being breached,” says Chief Product Officer Steven Won. “Instead of playing whac-a-mole with passwords, why not eliminate that avenue of attack outright?”
In a demo shown over a Zoom call, a tap of a Mac’s Touch ID button in response to a “Sign in with Passkey” prompt was enough to create a 1Password account.
The current new-account experience is a lot more complicated: After providing a name and an email address, you create a master password with at least 10 characters that you cannot under any circumstances forget. Then you download an “Emergency Kit” PDF that contains a randomly generated “Secret Key” that was used to further scramble your private encryption key, and which you may have to type in to authenticate logins to new devices.
The sales pitch at 1Password ($35.88 a year for individuals, $59.88 for families) has emphasized the importance of that Secret Key to its security. Especially after worsening revelations of a data breach at the competing password manager LastPass that compromised encrypted user-data vaults and left customers’ master passwords as their last line of defense.
In a Dec. 28 post, for example, 1Password principal security architect Jeffrey Goldberg wrote that “if 1Password were to suffer a similar breach, the attacker would not be able to crack your combination of account password and Secret Key – even if they put every computer on Earth to work on the cracking and ran them for zillions of times the age of the universe.”
A Jan. 10 post from CTO Pedro Canahuati reiterated that point: “Our dual-key encryption ensures a breach of 1Password’s systems would pose no threat to sensitive information stored in your vaults.”
So how can 1Password justify dropping its second level of defense?
In that Zoom call, CEO Jeff Shiner said this new option ensures that “the guessing game” of compromising a user-chosen master password can never start, while the randomly generated token at the core of passkey authentication is more complex than 1Password’s secret key and yields harder-to-crack encryption than today’s approach.
“Now in the world of passkeys, you have none of the friction of having to choose and remember a password,” he said. “You're using your own device as that indication of who you are.”
The assumption throughout is that you’ll authenticate each passkey login with such biometric methods as fingerprint or facial recognition, but the underlying spec allows for a less-secure PIN unlock too.
What if you lose that device? “We are relying on the platforms to provide us with an extra layer of resiliency and redundancy,” said product director Mitchell Cohen on the call. Citing the example of that Touch ID-assisted log-in, he nodded to how Apple’s iCloud stores an encrypted copy of each passkey on iCloud keychain: “You'll be able to recover your passkey.”
Having Apple, Google, and Microsoft lead the early passkey push has raised platform lock-in anxieties, but 1Password will allow cross-platform passkey transfers, such as by scanning a QR code on the screen of the old phone from the new phone.
Won further pointed out that the passkey architecture’s Bluetooth proximity verification–confirming that the person holding the phone with the passkey is next to the screen with the requested login–renders a lost or stolen device useless.
“Because that authentication request is bound specifically to the device, it's proven user presence,” Won said.
The initial passkey-login feature will be an optional beta service this summer.
“We are going to make it optional to start with, to make people comfortable,” Won said. “My dream is to be able to say at the end of this year, hey, we have the largest deployment of passkeys on the internet.”
That may not be hard, considering the slow uptake of passkey authentication so far. The directory of passkey-enabled sites that 1Password maintains showed only 31 entries Wednesday, one of them a demo site that 1Password set up last year.
The company has been moving towards this goal for some time. In November, 1Password purchased Passage, a passkeys authentication firm, to build up its enterprise-login business.
In an interview with PCMag at the Web Summit conference soon after, Shiner outlined the passkey message 1Password would bring to businesses—one that now reads as a preview of its new proposition for individual customers.
“It's going to be more secure for you than username and password, but it will still actually be more convenient for you as an end user,” Shiner said then.
Like What You're Reading?
Sign up for SecurityWatch newsletter for our top privacy and security stories delivered right to your inbox.
This newsletter may contain advertising, deals, or affiliate links. Subscribing to a newsletter indicates your consent to our Terms of Use and Privacy Policy. You may unsubscribe from the newsletters at any time.
Thanks for signing up!
Your subscription has been confirmed. Keep an eye on your inbox!
Sign up for other newsletters
