1Password Embraces a Passwordless Future

1Password has announced that passkey support will be available to its customers in "early 2023," allowing users to securely log in to apps and websites without a password. The Verge reports: Passkeys are a passwordless login technology developed by the FIDO Alliance, whose members include most of the Big Tech companies. The tech allows users to replace traditional passwords with their device's own authentication -- such as an iPhone with Face ID -- offering greater security and protection since there's no password to steal or accidentally hand over via a phishing attack.

1Password claims its own variation, called Universal Sign On, will be superior to others by supporting multiple platforms and cross-platform syncing when it launches next year. By contrast, passkey support through companies like Apple is only built to seamlessly synchronize access on devices within the same ecosystem. A live demonstration of how passkeys will work is available for 1Password users using the latest version of its Chrome browser extension, alongside a video demo for those not using the service and a directory listing which websites, apps, and services are using passkeys for authentication. 1Password will bring full support for passkeys to its browser extension and desktop apps in early 2023, with mobile support to follow.

Hard no

[VAElynx]

This combines two really bad ideas - making logins far too tied to your person, rather than your knowledge, and integrating a login across platforms (which allows other links). Not interested in the least.

Re:

[anonymouscoward52236]

I was going to say.... Are they switching people from multi-factor to single factor? Using only biometrics is single factor....

Re:

[Entrope]

The biometrics are tied to a second factor -- a device you have.

Re:

[bobby]

So what do I do when my "device" (I hate that word) breaks, but I still need to live life, access various online accounts, etc?

I'm already very annoyed at the many logins that shoot me a "a new device is using your account" crap email, when all I've done is take my computer to work, or use a different computer, etc. It's not just annoying, I'm worried they'll start to block my access to my own account.

Why not give us users the option to choose our authentication method? Unless I'm missing something, a goo

Re: Hard no

[cristiroma]

You use backup codes (which you can store on another device, ie paper)

Re:

[AmiMoJo]

If you don't want to use encrypted cloud storage for your keys, you have a few options.

You could use a Yubikey, or rather two. One you use, one backup in case you lose the first. You can also use Passkey and a single Yubikey as your backup. I use a single Yubikey and my Pixel phone, which has a Google Titan security key built in, so I always have two devices.

You can also download recovery codes from the website. You can keep the codes safely in a password manager or offline in a safe, whatever you prefer. I

Re:

[fahrbot-bot]

In addition, is access granted to *all* the passkeys on your device(s) via its "own authentication" -- Face ID, PIN, etc...? If so, then it seems that would grant access to *all* your accounts that use Passkey. Sounds like something LEOs (or whoever;s snooping) would love. I'll stick with my individual, unique account passwords at this time...

Re:Hard no

[AmiMoJo]

There seems to be a lot of FUD about Passkey.

It replaces your password with a cryptographic handshake. The cryptographic secrets are unique to each site and can be shared among the user's devices via cloud sync or offline sync. Keep in mind that most users use cloud sync for passwords already, due to it being built into Chrome.

One site being compromised does not expose your secrets for any other site. Your secrets can be secured behind a password or biometric security too.

For maximum security I recommend using a security key, like a Yubikey. Then you need to plug it in and touch it every time you want to log in. The encryption key is stored on the key itself, not your computer, and the key does all the crypto and validation internally. There is no way to extract the key.

Yubikey make a biometric version, and some phones have it built in too (e.g. Google Pixel).

As for your LEA example, it's the same as it is today. If they get your unencrypted PC, they have all the browser cookies and remembered passwords. They can demand the master password for your password manager. Your human brain can't remember many different passwords so either you use a password manager or you re-use crap passwords on many different websites. You can still use 2FA with Passkey.

Re:

[The New Guy 2.0]

Your FaceID works on YOUR iPhone, not mine. Therefore, it's a mix of something you are and something you have.

Re:

[VAElynx]

That doesn't make it any better. For one, I can't have someone trusted access in my stead. For two... I can't exactly deny access to someone with physical reach, can I. So yeah, hard no.

1Password Embraces a Passwordless Future

[nospam007]

It's now called '1'.

SSH Much?

[blackt0wer]

This seems awfully like SSH pre-shared certificates.

Re: SSH Much?

[MrNaz]

It seems that way but its totally not at all like that. Passkeys rely on crypto tokens stored deep in the hardware of the device and cannot be copied, viewed, or shared.

the crucial flaw

[Srin Tuar]

> Theyâ(TM)re digital credentials that are stored on your devices, and you access them using biometrics.

Biometrics are alike a really weak, really shitty password that you can never change. Not a great start there

> 1Password will help you create passkeys and keep them safe alongside all your private data. It will also sync them securely to all your devices, even across platforms.

If it can do that, then it also means it can and will leak all your secrets too.

going to have to take a hard pass on th

Re:

[anonymouscoward52236]

With your own fMRI and lots of machine learning (and possibly a five dollar wrench), everything is a "biometric" password, lol.

Re:

[mark-t]

I will make no argument about being unable to change it, but how do you conclude that biometrics like a really weak or shitty password? The amount of information that is intrinsically encoded into biometric information is extremely dense, and equivalent in security to passwords far longer and more complex than those that could actually be guessed by any password cracking mechanisms invented so far.

Re:

[fahrbot-bot]

... how do you conclude that biometrics like a really weak or shitty password?

How about 'cause you can unlock a dead guy's phone with his thumb print [youtube.com]?
Pretty sure they couldn't ask him for his PIN/password. :-)

Bet this would work even he if was just sleeping, or arrested -- no $5 wrench needed.

Re:

[mark-t]

What you are describing are technically loopholes in the technology being widely utilized, not a comparison of how biometrics are supposedly like a weak or shitty password. It is not generally considered "trivial" to use a dead person's corpse to unlock a device, where a weak or shitty password can be trivailly guessed or brute-forced.

Re:the crucial flaw

[fahrbot-bot]

It is not generally considered "trivial" to use a dead person's corpse to unlock a device, where a weak or shitty password can be trivailly guessed or brute-forced.

Sure, but your alive thumb can easily be used by law enforcement (or whoever) whereas your unknown password cannot, so I would consider the former weaker at protecting things than the latter.

Re:

[mark-t]

Again, however, this is well outside of the domain of "trivial" that is ordinarily associated with the weaknesses behind shiitty passwords.

Re:

[AmiMoJo]

If you use biometrics on your phone then learn how to quickly disable them. On Android press the power button five times rapidly. You can configure exactly what it does, e.g. notifying certain contacts or recording video.

Also check out PanicKit and Wasted, two apps you can use to lock or wipe your device in an emergency. You can set up things like duress passwords that wipe the phone instead of unlocking it.

False

[DarkRookie2]

There is no "passwordless" future. They are just generated by your phone without your input under the complete control of Apple/Google.

Re:

[slazzy]

Correct, or pay 1password $3 a month as a multi-platform alternative. Really it's just marketing fud for automatically generated passwords.

Re:

[zshXx]

There are saner alternatives. Bitwarden is lot more reasonable password manager with great feature set for free users. They are working on passkeys as well. PS: Just a bitwarden fan.

Re:False

[AmiMoJo]

Passkey is not generating passwords. It uses cryptographic keys that have a few advantages over passwords.

Passwords are at best stored in hashed form. That makes them vulnerable to dictionary and reasonable-time brute force attacks. The cryptographic keys used by Passkey/U2F are designed to make those attacks impractical.

Because the keys are specified, there is no issue with passwords meeting certain criteria (8 characters, including a mix of cases etc.) or being badly designed.

Public key crypto ensures that even if the entire login process is captured by an adversary, it won't allow them to re-use the data.

Because there is no keyboard entry, keylogging doesn't work. Malicious Javascript can't access anything useful.

Phishing sites don't work because the cryptographic handshake depends on the domain and the server's certificate. Even if it looks identical to the real site, the browser won't present the right credentials to log in.

You can use a security key like a Yubikey to keep the cryptographic secret off your computer entirely. There is no way for it to be stolen by malware, as it never leaves the security key and all crypto is handled by its internal processor. Most keys have a button you must press to activate the cryptographic handshake, so malware can't use the key without user interaction either.

Re:

[DarkRookie2]

cryptographic keys = very,very,very complex password.

I still don't want to reply on a porn machine or a device use to transfer porn for security.

Re:

[AmiMoJo]

Crypto keys are not passwords. They use public key crypto so that your private key is never transmitted.

Re:

[DarkRookie2]

Whatever it is, it is something I am not in complete control of and the people that are are not people worth trusting.

Re:

[AmiMoJo]

How are you not in complete control of it? You can build your own open source hardware key if you are really worried. All the validation and crypto takes place on the key, it just takes in a signed challenge, validates it, and spits out a signed response. Key never even enters the computer's memory or CPU, and the crypto code is unalterable in the key's MCU if you decide to make it so.

Your paranoia is making you use much less secure system.

so ...

[znrt]

... was 0Password already taken or what?

anyway, good luck with your bulls^H^H^H^H^H^Hproduct.

First Poster said it straight

[Big Hairy Gorilla]

That's a definite NO.

"Online privacy" as spelled out in the TOS is a lie wrapped in a truth.

We won't share your information... ONLY with our partners, data brokers, and with governments for legal reasons, who will then share with their partners, and so on...

So, Everybody.

Re:

[The New Guy 2.0]

Uhm, whose TOS are you quoting?

Re:

[DarkRookie2]

Each and every EULA of each piece of software and/or service released in the last 20 years.

Standards are great

[Anonymous Coward]

Nobody likes the current ones, so they just create a new one that they think is somehow better than everybody else's and everybody will just jump onboard and use it.

Passwordless?

[Bu11etmagnet]

If it embraces password-less authentication, then it should be called 0Password.

Re:

[JasterBobaMereel]

You still have a password, it's just that your device knows it not you .,... ...and the company promises to not tell anyone what it is ,,unless they want to ...

intercept

[asidecurl]

If an attacker were to intercept the entire login process, public key cryptography would prevent happy wheels [happywheelsgame.io] them from reusing the data they gathered.