Why protecting 1Password with a passkey is just as secure as a password and Secret Key

Now, we’re introducing the ability to create and unlock a 1Password account with a passkey. (It’s currently in private beta, and we’re working on a version that’s ready for everyone.) This is a big and exciting change, to put it mildly, that will streamline the experience of using 1Password for many people.

But it also raises the question: Does a passkey offer the same level of protection as 1Password’s existing account password and Secret Key combo?

The short answer is yes. While the two solutions protect your 1Password account in slightly different ways, they both offer excellent security. So whichever option you choose, you can rest easy knowing your data is well protected.

How your account password and Secret Key secure your 1Password account

First, let’s recap how 1Password’s traditional security model works. To sign in to your account and access your data on a new device, you need to provide your account password and your Secret Key.

Your account password is chosen by you. It’s the only password you need to remember once you’ve saved all of your other credentials in 1Password.

Your account password is never stored by or visible to us. So if an attacker somehow breached our servers, they wouldn’t find your account password. That means the thief couldn’t unscramble your encrypted data using what they had found on our servers.

Unlike some other password managers, we don’t rely solely on the strength of your account password to protect your private data. That’s why we also use…

Your Secret Key. It’s an account-specific, 128-bit strong encryption ingredient that contains 34 letters and numbers, separated by dashes. Crucially, it’s never sent to us in full. We receive only the first eight characters, which are used to identify your account.

Your account password and Secret Key are combined to create the full encryption key that secures your data. The result? Increased security that doesn’t impact the day-to-day convenience of signing in and unlocking 1Password. You only have to memorize one piece of information – your account password – but get the protection of an encryption key that’s been strengthened by your Secret Key.

Thanks to that additional encryption ingredient, your encryption recipe has more than 128 bits of entropy. (If you haven’t come across the term before, entropy is used to measure how unpredictable something is.)

That level of unpredictability makes it difficult – and in practical terms, virtually impossible – for an attacker to crack using a brute force attack, which relies on trial and error. There are simply too many combinations that your encryption key could be.

How a passkey secures your 1Password account

Now that we’ve covered 1Password’s traditional security model, we can compare it to the protection you get from a passkey.

When you unlock 1Password with a passkey, the process is different from using an account password and Secret Key. There are still two parts involved but there’s nothing to create or memorize.

Here’s a quick refresher on how passkeys work: Behind every passkey is a private key and a public key. They’re mathematically linked to one another, so you can’t use your private key in conjunction with someone else’s public key. It would be like jamming a stranger’s key into the lock on your front door.

Passkeys are also specific to the app, website, or service you’re signing in to. So if you create a passkey for a food delivery app, you can’t use that same passkey to sign in to your banking app.

What does this mean in the context of 1Password? If you choose to secure your 1Password account with a passkey, the public key is kept on our servers. This public key is useless without its corresponding private key. So if an attacker somehow broke into our infrastructure, they wouldn’t find everything required to sign in to your account and read your data.

Crucially, your private key is never shared with 1Password. It’s just that – private. The upside of this system, which is known as public-key cryptography, is that you can prove you own the private key without ever sharing it. The private key is stored on your device unless you securely sync passkeys across devices.

When you sign in to 1Password with a passkey, you don’t have to type out or enter anything. Instead, you’ll be asked to provide your biometrics, or enter your device’s passcode. Next, your private key will sign a ‘challenge’ – a complicated mathematical problem – which 1Password checks is correct using your unique public key. Keeping the private key on your device means that it can’t be intercepted by an attacker.

Passkeys are also really, really hard to crack. There’s a lot of complicated math that goes into the key generation process (read this article if you want to learn more). But the bottom line is there are a mind-boggling number of possible permutations, and this is what makes passkeys so hard to crack.

Which is more secure: a passkey, or an account password and Secret Key?

Both options provide the level of security you expect from 1Password.

It’s true that the security models underpinning passkeys and our classic ‘account password plus Secret Key’ combination are different. But the important thing to remember is they both provide a truly incredible level of protection for your most important data. That’s why we’re confident about adding passkeys as an option to create and unlock your 1Password account.

The account password and Secret Key will continue to be an option. If you’re happy with our existing security model, you don’t have to change anything. When we release the ability to unlock 1Password with a passkey to everyone, you’ll have the choice to:

• Unlock your 1Password account with a passkey.
• Continue using an account password and Secret Key.
• Use both options in tandem. So you can use a passkey on devices where it makes sense for you, and your account password and Secret Key in other scenarios.

The bottom line

One of the many reasons why people choose 1Password is because of its security model. Together, the account password and Secret Key give your passwords and other sensitive data the protection they deserve.

Your private data will always be just that: private. We pride ourselves on our high security standards and only introduce new functionality when we’re sure it will enhance them.

The bottom line is that we believe in passkeys as the future of authentication. Unlocking your 1Password account with a passkey is not only secure but convenient because you no longer have to memorize an account password, or look after a Secret Key.

Whatever method you choose to secure your 1Password account, you can feel safe in the knowledge that your data is locked down tight.

Nick Summers

Content Marketing Manager