Securing their (password-less) future?
This seems like more of a growth opportunity for 1PW than SecretHub. SecretHub has to compete with established secrets management services, and almost every app is already doing something about secrets, even if their practice is bad. Whereas there are so many apps that haven’t begun to think about supporting this kind of authentication.
On the password management side, anything this company can do to accelerate 1PW’s first class support for secure-but-portable keys will help, but the synergy between passkey server/app services and their broader password management service is escaping me. Not saying that means it will hurt either company.
As a developer, I love all the things 1Password has done for developers (SSH agent, CLI, REST API, Connect, Service Accounts), after acquiring SecretHub:
1Password has a new landing page about their webauthn support coming next year. The phrase that jumped out to me was “digital secrets”; I think this hints at their branding evolution as the definition of password increasingly broadens.
There’s a live demo you can try in Chrome if you have their extension installed. Pretty smooth, though the lack of early Safari support is a little embarrassing even if understandable.
Episode 100 of 1Password’s Random But Memorable podcast
“We also discuss THAT LastPass hack in Watchtower Weekly and talk about 1Password’s acquisition of Passage and what it means for a passwordless future.”
“. . . starting this summer, you’ll have the option to create and unlock your 1Password account using only a passkey! No passwords required.”
Nearly a year later: how are feeling about Passkeys?
I still don’t quite understand it, but they say it’s more safe… But I have used 1Password for 10+ years and I have used it religiously. It is of no hassle for me to use different passwords and have them stored in 1Password, I would feel more less safe if it wasn’t that way.
How are people feeling about Passkeys? Are you switching from passwords to passkeys?
CVS pharmacy is an early adopter so I’m going to try out passkeys with them. But I’m going to wait six months or so before I consider switching everything.
I have set up Passkeys on as many accounts that support it I can. Works fine in 1Password (latest subscription versions). Where supported, I also added a second Passkey via iCloud Keychain.
When logging in, 1PW pops up a prompt first (at least when unlocked) and has an icon to select a different token device which lets me choose the Keychain version. I may not keep both Passkeys around since 1PW lets me use the ones there on the one Windows 11 machine I use rather than setting up yet another passkey via Windows Hello.
I haven’t used Passkeys at all.
@JoePreiser are keychain and 1pw using the same passkey? Why did you decide to enable both?
Different passkey; one stored in 1PW and one stored in Keychain.
I started using Keychain because 1PW didn’t support them until recently. Also, some sites are still finicky so I can set up only one or the other, or just one.
I wanted to see how well each worked. I will more than likely settle on just one once things settle down.
BTW, I have not yet looked into seeing if I can disable password logins. Again, that will be something once the new tech matures.
I use it for Apple, but I strongly dislike them in general. Consider:
- Somebody’s ability to access a website with a passkey is tied to (typically) a device they own
- People lose/break devices with some frequency
- Their ability to access said website could then, theoretically, disappear with their device
I know, I know…providers like 1PW are theoretically portable. Apple probably puts it in Keychain if you enable iCloud keychain. And there are probably ways to get additional codes that you can use in an absolute emergency to get in.
But those are all arguments from IT people that don’t deal with actual users. Users who, for the most part, currently use something like “letmein123” as a password and expect IT departments to be able to get them into their accounts and do password resets when they forget “letmein123.”
Apple asked me to try logging in using a passkey the other day in macOS, and I tried it. It was super-slick. But I don’t use iCloud Keychain, and it didn’t run me through any prompt about backup codes, risks of device loss, or any of the other stuff that’s a logically necessary pre-discussion before tying a user’s online life to a particular electronic item.
My prediction is that these will be a novelty for a period of time, then more users and institutions will begin adopting them, and then we’ll see the inevitable torrent of users being locked out of important accounts just because their phone broke - and the IT people will do what they always do, blame the users for the IT peoples’ failure to educate them.
Enpass announced support for passkeys about a week ago; I haven’t tried it out yet.
But that’s the idea, right? Something you know plus something you have?
Edit: Maybe I made a non-intuitive (non-existent?) leap from MFA to passkeys there…
Your leap was actually 100% correct. Actually, passkeys are a choice of “something you are” or “something you know,” combined with “something you have.” It’s two-factor, with the first factor being whatever you use to unlock the device and the second being the device/keychain.
But for that to work you have to have the thing that’s “something you have.” How many people use their phones as their primary (and sometimes only) computing device? What do you do when you lose it, break it, somebody steals it, etc. and you get locked out of your accounts?
I know a guy who irrevocably lost his Gmail account because his phone got destroyed when he was overseas, and Google wouldn’t let him log in without him confirming a code sent to the device that had just been destroyed. They wouldn’t let him use his recovery email or recovery phone number, even though he had - and had access to - both. Presumably if he’d owned a second device that might have saved him - but he didn’t. And Google doesn’t exactly have tech support you can call.
That’s the issue with Passkeys in a nutshell. The process to recover from that will almost certainly involve producing documentation that the average user doesn’t have, and possibly never actually had because they were ushered into use of Passkeys via a poor onboarding process.
And IT people, as a group (which includes myself), tend to be very poor at properly educating users and very good at blaming the users for not being educated when things go south.
I think I read something (on this forum?) very similar to this about an Apple ID too, so clearly not every angle has been covered.
Interesting post from Apple’s Ricky Mondello about that:
Yes, they should be able to sync to all of your devices. But if “all of your devices” is one device, and hardware authentication is required to get into your accounts - including the account you would need to set up a replacement device - then you are in the scenario that I am talking about. You have one phone, that phone gets lost, and you can’t get into anything.
Consider…
“My girlfriend’s car was in the shop the other day, so she just drove my car to work. Easy enough, right? In case your car is breaks down or gets stolen, you should just own another car to use instead.”
That’s effectively what I hear IT people saying with passkeys.
In order to be secure in this scenario, at a minimum you need to own multiple devices, including a device that your passkey credentials are synced to that you don’t actually carry with you, so it doesn’t disappear if somebody steals your backpack or robs you.
Either that or we need robust account recovery procedures that can be initiated without having any trusted device. And we need to educate users regarding what will be required in that scenario, so they don’t get caught flat footed.
This is such an important point and it’s so, so overlooked. Also, it’s not limited to passkeys, as many MFA methods have similar issues.
Getting the average person to understand that they have to plan ahead for device loss/replacement and then remember how that plan works when needed is highly nontrivial.
I invite anyone who doubts this to spend a little time working at the help desk at a university that’s made MFA mandatory for students. Ask me how I know 