The blogpost manages to not explain what they actually intend to do, but I assume it means WebAuthn PRF. The general idea is nice and it works, but it's hindered by the fact that sync fabrics aren't interoperable or pluggable.
Let's say you have an iPad, a Windows PC, and an Android phone, and you set up your 1Password account using a Passkey (0Password?) in your iPad, and now you want to set it up on your Windows PC... except there's no way to sync your Passkey from the Apple sync fabric to the Microsoft sync fabric, so you need some sort of shareable secret between those from which an encryption key can be derived -- a password + secret key. After that set up the encryption key you just derived can be wrapped with a key generated from the Microsoft sync fabric prf and the process starts again with Android. You've managed to unlock all your devices using WebAuthn, but you didn't manage to get rid of the password, and if you decide to change it, then you're in for the whole ride again.
The blogpost also reads Use your phone to unlock 1Password on your Mac, PC, and in the browser, so I assume the way to get around the sync fabric problem they envision using is relying on your phone's sync fabric, and relaying the encryption key through hybrid transport, then prompting you to store a Passkey in that new device, which is still a hassle but you don't need a master password for.
It is critical for the health of the ecosystem that OS vendors adopt APIs so that third-party vendors can plug-in TPM-backed sync fabrics that work across manufacturers. Several third-party vendors have joined the FIDO alliance, so I'm hopeful.
So far all I've seen mention of is MacOS, Windows, iOS and Android. Where will Linux running on older non-TPM hardware platforms fit into this ecosystem?
For _using_ WebAuthn, Linux without a TPM has the option of using a hardware key like a Yubikey or Nitrokey, or a virtual authenticator like what 1Password proposes here: https://www.future.1password.com/passkeys/
For _syncing_ WebAuthn passkeys, then virtual authenticators that sync over the wire like 1Password above is the only option. Using virtual authenticators means that your key material is in-memory alongside the OS and all running apps. That's why it's so critical that OSs expose pluggable sync fabrics; so that vendors like 1Password, or even YubiCo, can implement sync fabrics that roam through whatever hardware the current platform happens to have available.
Hrm... how would these master keys get stored securely on Linux without a dedicated TPM?
It seems that all these methods seem to want to desperately replace "something I know" with "something I have" that can break, get lost/stolen, etc. That is not a very enticing scenario for me.
> except there's no way to sync your Passkey from the Apple sync fabric to the Microsoft sync fabric
This is by design.
> so you need some sort of shareable secret between those from which an encryption key can be derived
No, you just authenticate with your iPad passkey (using qr code), and then generate a new passkey on your Windows PC, which will now sync between your windows devices. So no sharing of secrets between sync-clouds is needed, just one time sideways authentication.
I'm guessing 1password is just another passkey that they store/sync.
I know, and I don't like being forced to make this tradeoff. This protects the hardware vendors, and inconveniences me. It might leave everyone else unprotected, if the alternative ends up being using virtual authenticators like this: https://www.future.1password.com/passkeys/
> No, you just authenticate with your iPad passkey (using qr code)
I also know this, as the paragraph immediately after the one you quoted says. It's also a hassle. It makes me have to have one device to register others, and it makes me have to maintain several sync fabrics, which I don't want to have to do.
To clarify a bit, I don't want Passkeys in Apple's sync fabric to sync with Microsoft. What I want is the ability to have a third-party Passkey manager that can leverage TPMs and Secure Enclaves to generate, export, and import its own key material across devices from different manufacturers. Exactly like how 1Password envisions its future Passkey offering, but backed by hardware.
> it makes me have to maintain several sync fabrics
Yes, that's the con. That's why 3rd parties like 1password exist. Of course, they have to fight to get their plugins into the Big 3, as the Big 3 want you to use their systems.
But also the pro is that if you lose access to your sync fabric X (security breach, account closure), you can still use sync fabric Y. It's like backup fido2 tokens.
I think the security benefit of passkeys outweigh the small vendor lock-in they might create.
> But also the pro is that if you lose access to your sync fabric X (security breach, account closure), you can still use sync fabric Y. It's like backup fido2 tokens.
This is forced. I'd rather decide to do that myself depending on what my risk tolerance is. The charter of the WebAuthn working group is to provide a phishing resistant authentication mechanism, not an account-closure resistant mechanism.
> I think the security benefit of passkeys outweigh the small vendor lock-in they might create.
Absolutely, but we shouldn't have to choose! I'm not so sure the Big 3's desire for you to use their systems outweigh their desire for you not to get phished (since it also carries a cost for them), so I believe they at least have some incentive to play nice.
It might inconvenience some, but it is superior for the majority of global users vs passwords and MFA of various strengths and phishing resistance. Can’t solve for everything in one go.
My concern is that without it, people might default to a software implementation that's interoperable. While significantly better than passwords, it's still worse than hardware-backed keys.
> Can’t solve for everything in one go.
Sure, but that's the FIDO alliance working group problem, not ours. As consumers, I believe we should actively ask for these things.
Most people probably should default to a software implementation. Hardware keys are fine for work where IT can send you a new one and your employer eats the cost of their security measures while you can't do work, but for day-to-day life they introduce risks or restrictions I don't want while solving problems I don't have.
I tried WebAuthn for the first time on MacOS a few weeks ago (on the WebAuthn demo site), and the site inexplicably didn't support the key that I've been using for the last 4 years for 2FA. It didn't even bother explaining what the problem was, but I assume they want me to buy Yet Another Physical Device if I want to participate. It's definitely still not there, and at this point I don't have high hopes for the future.
Their implementation doesn't seem standards compliant. I installed the newest 1Password extension in Chrome and then went to the https://webauthn.io/ demo and clicked register -- 1Password did nothing, but the Chrome WebAuthn dialog took control.
Passkeys aren't protected when it comes to laws regarding self-incrimination and searches. Information encrypted and locked behind a password, something only you know, is protected.
Until laws surrounding biometrics are changed, I personally won't move to passkeys. There have been cases where biometrics have been protected under the same category as pins and passwords but there have also been cases where it was not.
Also, haven’t people been going on for years about how biometrics are _not_ passwords?
I would personally feel far less secure replacing my master password with a passkey, especially if the biometric is fingerprint.
But I guess this increases security for the vast majority of people while decreasing security for a small minority. Which is probably still an overall win.
I’ll continue using a strong master password for as long as it’s possible.
Passkeys are tokens that have nothing to do with your biometric data. When you "unlock" a passkey on a smartphone, you are granting access to decrypt the token using a secure element coprocessor. Your biometric data is not the passkey, is only used for local authentication, and does not leave the device.
> Passkeys are tokens that have nothing to do with your biometric data.
Did you read the linked article? 1Password is allowing users to avoid having a master password at all, instead allowing them to use only biometrics to access their vaults. So this specific implementation that we're talking about right now very much has something to do with biometrics.
> Your biometric data is not the passkey.
Never said it was.
> is only used for local authentication, and does not leave the device.
Not my concern. My concern is that my biometric data is public. The same fingerprint that would unlock my phone/laptop also happens to be plastered all over said devices as well as everything else I touch. Plenty of videos on YouTube where people have lifted fingerprints and unlocked devices. Most facial recognition technologies can be fooled with a photo. I have a serious issue with someone being able to access my 1Password vault without needing a secret such as a password that only I know. FaceID is probably the only technology I'd trust to prevent unauthorised access, but as the parent mentioned, biometrics are a bit of a grey area - in certain countries / jurisdictions you can be forced to unlock a device using biometrics even if it's illegal to force a password out of you.
First it was "use complex passwords" so passwords got harder to remember, but it was doable. Then it was "don't reuse your passwords" and I'd made a good show of it by dreaming up 3-4 distinct passwords that I rotated in different services. Then I started managing my accounts in an app because I had too many to manually/mentally track. Then it was "use a password manager" and so as I transitioned to the password manager, I had it generate very strong random passwords that I had no hope of remembering, much less typing in manually.
So I don't remember any passwords anymore and I couldn't remember them if I tried. I couldn't even type them (although I could transition to a "correct horse battery staple" method instead.) And I'm beholden to my password manager, plus my Yubikeys plus my phone plus my email, due to disparate mandatory MFA challenges.
Authentication has become really splintered and really complex. It's ridiculous to insist in this day and age that a password is "something you know" unless it's a master password to unlock your vault or your employer's SSO or something. So that ship has sailed, sorry to inform you!
I know all of my passwords, I don't reuse passwords, and I chose from the very beginning to never rely on auto-generated passwords. I would be fine without any kind of password manager.
You are making a lot of generalizations about how people interact with passwords. I don't have a single Yubikey, I use Aegis on android that allows me to generate codes and self manage backups of my 2FA secrets. It even supports DUO 2F, but I don't mess with DUO accounts because they are hotp and not totp so you will run into sync issues if your aren't careful. I do have the secret key backed up though.
My passwords are something I know. More importantly, even if you use a password manager, your master password is still something you know in the eyes of the law. That covers all passwords that are accessed using a master password as something you know. That's the whole point of multifactor, the second factor is irrelevant without the first. I could surrender all of the 2F secrets and it still wouldn't matter because a password is something I know.
Not knowing your passwords is a choice, which you are free to make, I made the opposite choice. I can understand not wanting to remember every password, but it's worth creating self chosen passwords for the critical accounts like google, microsoft, github, and financials, in my opinion. I use biometrics for my mobile OS, but biometrics are only enabled after first unlocking the phone with the pin/password. I use a traditional password for my pc.
You are not the norm. I would love to know all of my passwords. However when there are nearly 200 of them in the password manager alone this is just not remotely feasible for most people. Not everyone can just memorize that many different unique passwords. That account that I log into once every year? Not a chance I could remember it long term.
Choosing unique passwords for your main accounts and then relying on the manager for the insignificant accounts is still an option. They're not mutually exclusive. That's not an option if you go the passwordless route.
Passwords.google counts 577 but I have a seperate set in firefox. Like everyone else that "knows" this many, there's a system. The major accounts don't have a system, I have around 25 accounts with 2F enabled, plus a few financial accounts that all have uniquely created passwords. I absolutely do use a password manager. I don't need to rely on my system, but I will never use the auto-generated passwords.
But then you are far out of the norm and the fact a generalisation excludes your particular case does not mean it is too generalised, it focusses on the norm simply. Most people struggle to remember a single strong password (I do too).
Incidently, having "a system" is one of the things that has been repeatedly advised against, as it weakens your security significantly.
I have one too actually (for some accounts), but I recognise I am a/ not the norm at all and b/ definitely not following security best practices. But I estimate (maybe wrongly) that my theat model allows me to take such shortcuts.
My threat model accounts for leaked passwords, even if you are able to identify the system I use, you would have to iterate through ~8! possiblities minimum per account. There's no underlying patterns that allow for shortcuts. There's nothing wrong with a system as long as you can't guess the system by comparing multiple leaked passwords. I don't see how it could weaken security significantly if your system includes randomness in some sense. For example, the order in which you might place words and special characters or the letter placements which you substitute.
It's absolutely possible to have a system without weakning security. But that might fundamentally have the same considerations that rolling your own crypto solution would. I was thinking about those very same mistakes when making my system. I expected that a technical crowd like HN would care about stricter privacy, but I continue to be surprised.
The threat model I assume is the reason why I would never use passkeys. From the responses I have gotten, my threat model seems stricter than average. Using a manager generated password feels like security through obscurity. As does using a single point of failure piece of hardware where I can't backup the secret. I don't want to use a "virtual" passkey that is attached to a MS or Google or Apple login, especially for replacing passwords. A secret I don't control isn't my secret, similar to the idea of not your keys not your wallet when dealing with cryptocurrency. In this case, there's a very real price of privacy to pay for convenience.
What I dont understand is how they store your password-db in a safely encrypted manner, when there isn't a password to encrypt it with. It seems that either losing your device is fatal (if the encryption key is stored in some trusted tamper resistant chip on device), or 1password can access all your passwords in plaintext?
I believe I read that 1Password will allow unlocking with a hardware token, like a Yubikey. I wonder if they’ll use the PGP capabilities of the Yubikey to allow decryption.
The blogpost is light on details but they’re most likely using WebAuthn prf which was designed with this use case in mind: https://w3c.github.io/webauthn/#prf-extension , with the idea that it’s backed by a sync fabric rather than a single hardware device.
40 comments
[ 3.9 ms ] story [ 88.2 ms ] threadLet's say you have an iPad, a Windows PC, and an Android phone, and you set up your 1Password account using a Passkey (0Password?) in your iPad, and now you want to set it up on your Windows PC... except there's no way to sync your Passkey from the Apple sync fabric to the Microsoft sync fabric, so you need some sort of shareable secret between those from which an encryption key can be derived -- a password + secret key. After that set up the encryption key you just derived can be wrapped with a key generated from the Microsoft sync fabric prf and the process starts again with Android. You've managed to unlock all your devices using WebAuthn, but you didn't manage to get rid of the password, and if you decide to change it, then you're in for the whole ride again.
The blogpost also reads Use your phone to unlock 1Password on your Mac, PC, and in the browser, so I assume the way to get around the sync fabric problem they envision using is relying on your phone's sync fabric, and relaying the encryption key through hybrid transport, then prompting you to store a Passkey in that new device, which is still a hassle but you don't need a master password for.
It is critical for the health of the ecosystem that OS vendors adopt APIs so that third-party vendors can plug-in TPM-backed sync fabrics that work across manufacturers. Several third-party vendors have joined the FIDO alliance, so I'm hopeful.
For _syncing_ WebAuthn passkeys, then virtual authenticators that sync over the wire like 1Password above is the only option. Using virtual authenticators means that your key material is in-memory alongside the OS and all running apps. That's why it's so critical that OSs expose pluggable sync fabrics; so that vendors like 1Password, or even YubiCo, can implement sync fabrics that roam through whatever hardware the current platform happens to have available.
It seems that all these methods seem to want to desperately replace "something I know" with "something I have" that can break, get lost/stolen, etc. That is not a very enticing scenario for me.
This is by design.
> so you need some sort of shareable secret between those from which an encryption key can be derived
No, you just authenticate with your iPad passkey (using qr code), and then generate a new passkey on your Windows PC, which will now sync between your windows devices. So no sharing of secrets between sync-clouds is needed, just one time sideways authentication.
I'm guessing 1password is just another passkey that they store/sync.
I know, and I don't like being forced to make this tradeoff. This protects the hardware vendors, and inconveniences me. It might leave everyone else unprotected, if the alternative ends up being using virtual authenticators like this: https://www.future.1password.com/passkeys/
> No, you just authenticate with your iPad passkey (using qr code)
I also know this, as the paragraph immediately after the one you quoted says. It's also a hassle. It makes me have to have one device to register others, and it makes me have to maintain several sync fabrics, which I don't want to have to do.
To clarify a bit, I don't want Passkeys in Apple's sync fabric to sync with Microsoft. What I want is the ability to have a third-party Passkey manager that can leverage TPMs and Secure Enclaves to generate, export, and import its own key material across devices from different manufacturers. Exactly like how 1Password envisions its future Passkey offering, but backed by hardware.
Yes, that's the con. That's why 3rd parties like 1password exist. Of course, they have to fight to get their plugins into the Big 3, as the Big 3 want you to use their systems.
But also the pro is that if you lose access to your sync fabric X (security breach, account closure), you can still use sync fabric Y. It's like backup fido2 tokens.
I think the security benefit of passkeys outweigh the small vendor lock-in they might create.
This is forced. I'd rather decide to do that myself depending on what my risk tolerance is. The charter of the WebAuthn working group is to provide a phishing resistant authentication mechanism, not an account-closure resistant mechanism.
> I think the security benefit of passkeys outweigh the small vendor lock-in they might create.
Absolutely, but we shouldn't have to choose! I'm not so sure the Big 3's desire for you to use their systems outweigh their desire for you not to get phished (since it also carries a cost for them), so I believe they at least have some incentive to play nice.
> Can’t solve for everything in one go.
Sure, but that's the FIDO alliance working group problem, not ours. As consumers, I believe we should actively ask for these things.
> This is by design.
And this is exactly why it's bound to fail. Explain to my grandma why she can't sign in from her computer AND her iPad.
I love the fact that Apple/Google/Microsoft are onboard, and now have implementations.
So why the frack are Apple/Google/Microsoft don't support passkeys on their own systems yet? They don't even support Webaunth.
These guys really need to set an example if they are actually serious about passkey.
Apple iCloud supports WebAuthn as of two months ago: https://www.apple.com/newsroom/2022/12/apple-advances-user-s...
Google has supported WebAuthn for quite a while as well: https://landing.google.com/advancedprotection/
I'm not very familiar with Microsoft's ecosystem and I believe it's a bit more fragmented, but it seems that at least some portions of it do support it: https://support.microsoft.com/en-us/account-billing/how-to-g...
Goodbye, passwords, https://news.ycombinator.com/item?id=34725322, 2 days ago, 10 points, 2 comments
Edit: Interestingly enough, the demo site is listed in 1Password's own directory: https://passkeys.directory/details/web-authn-io/
Until laws surrounding biometrics are changed, I personally won't move to passkeys. There have been cases where biometrics have been protected under the same category as pins and passwords but there have also been cases where it was not.
https://www.concordlawschool.edu/blog/constitutional-law/fif...
I would personally feel far less secure replacing my master password with a passkey, especially if the biometric is fingerprint.
But I guess this increases security for the vast majority of people while decreasing security for a small minority. Which is probably still an overall win.
I’ll continue using a strong master password for as long as it’s possible.
Did you read the linked article? 1Password is allowing users to avoid having a master password at all, instead allowing them to use only biometrics to access their vaults. So this specific implementation that we're talking about right now very much has something to do with biometrics.
> Your biometric data is not the passkey.
Never said it was.
> is only used for local authentication, and does not leave the device.
Not my concern. My concern is that my biometric data is public. The same fingerprint that would unlock my phone/laptop also happens to be plastered all over said devices as well as everything else I touch. Plenty of videos on YouTube where people have lifted fingerprints and unlocked devices. Most facial recognition technologies can be fooled with a photo. I have a serious issue with someone being able to access my 1Password vault without needing a secret such as a password that only I know. FaceID is probably the only technology I'd trust to prevent unauthorised access, but as the parent mentioned, biometrics are a bit of a grey area - in certain countries / jurisdictions you can be forced to unlock a device using biometrics even if it's illegal to force a password out of you.
First it was "use complex passwords" so passwords got harder to remember, but it was doable. Then it was "don't reuse your passwords" and I'd made a good show of it by dreaming up 3-4 distinct passwords that I rotated in different services. Then I started managing my accounts in an app because I had too many to manually/mentally track. Then it was "use a password manager" and so as I transitioned to the password manager, I had it generate very strong random passwords that I had no hope of remembering, much less typing in manually.
So I don't remember any passwords anymore and I couldn't remember them if I tried. I couldn't even type them (although I could transition to a "correct horse battery staple" method instead.) And I'm beholden to my password manager, plus my Yubikeys plus my phone plus my email, due to disparate mandatory MFA challenges.
Authentication has become really splintered and really complex. It's ridiculous to insist in this day and age that a password is "something you know" unless it's a master password to unlock your vault or your employer's SSO or something. So that ship has sailed, sorry to inform you!
You are making a lot of generalizations about how people interact with passwords. I don't have a single Yubikey, I use Aegis on android that allows me to generate codes and self manage backups of my 2FA secrets. It even supports DUO 2F, but I don't mess with DUO accounts because they are hotp and not totp so you will run into sync issues if your aren't careful. I do have the secret key backed up though.
My passwords are something I know. More importantly, even if you use a password manager, your master password is still something you know in the eyes of the law. That covers all passwords that are accessed using a master password as something you know. That's the whole point of multifactor, the second factor is irrelevant without the first. I could surrender all of the 2F secrets and it still wouldn't matter because a password is something I know.
Not knowing your passwords is a choice, which you are free to make, I made the opposite choice. I can understand not wanting to remember every password, but it's worth creating self chosen passwords for the critical accounts like google, microsoft, github, and financials, in my opinion. I use biometrics for my mobile OS, but biometrics are only enabled after first unlocking the phone with the pin/password. I use a traditional password for my pc.
Incidently, having "a system" is one of the things that has been repeatedly advised against, as it weakens your security significantly.
I have one too actually (for some accounts), but I recognise I am a/ not the norm at all and b/ definitely not following security best practices. But I estimate (maybe wrongly) that my theat model allows me to take such shortcuts.
It's absolutely possible to have a system without weakning security. But that might fundamentally have the same considerations that rolling your own crypto solution would. I was thinking about those very same mistakes when making my system. I expected that a technical crowd like HN would care about stricter privacy, but I continue to be surprised.
The threat model I assume is the reason why I would never use passkeys. From the responses I have gotten, my threat model seems stricter than average. Using a manager generated password feels like security through obscurity. As does using a single point of failure piece of hardware where I can't backup the secret. I don't want to use a "virtual" passkey that is attached to a MS or Google or Apple login, especially for replacing passwords. A secret I don't control isn't my secret, similar to the idea of not your keys not your wallet when dealing with cryptocurrency. In this case, there's a very real price of privacy to pay for convenience.
https://community.bitwarden.com/t/store-webauthn-fido2-crede...