The traditional 1Password security model includes an account password and a Secret Key for authentication. When you unlock 1Password with a passkey, your passkey is used to authenticate you to our servers.
Technical design
Device keys
When you choose to unlock your 1Password account with a passkey, a unique device key is generated by each device that signs in to the account. 1Password uses this key to decrypt and encrypt account credentials, identify the device, and help to link apps and browsers to your account. The device key remains on your device and is used to gain access to an account unlock key as described in the Security Design white paper.
When enabled, certain platforms can use device security features to protect the device key in the hardware itself.
| 1Password platform | Biometric device key protection |
|---|---|
| Mac | Yes, on Macs with Apple silicon or the Apple T2 Security Chip |
| iOS | Yes, with Touch ID or Face ID |
| Windows | No |
| Android | Yes, with biometric unlock |
| Linux | No |
| 1Password browser extension | No |
| 1Password.com | No |
Macs without Apple silicon or the T2 chip lack the hardware required for device key protection. On those devices, the device keys don’t have hardware protection. Learn more about the Secure Enclave.
To use 1Password on ChromeOS, you can use 1Password.com and the 1Password browser extension. Neither of these offer biometric or specific hardware protections for device keys. However, ChromeOS software and devices have been designed to mitigate certain risks related to the storage of device keys. Learn more about ChromeOS security.
Linked apps and browsers
When you set up unlock with a passkey, the app or browser you use becomes your first linked app or browser. You can use this app or browser to verify your identity when you sign in to your account on other apps and browsers.
In a linked app or browser, you don’t need to enter a verification code each time you unlock 1Password, and you can also unlink apps or browsers from your account at anytime.
The 1Password server stores an additional encrypted version of your account unlock key for each linked app or browser. To see a list of your linked apps or browsers:
- On 1Password.com, select your name in the top right and choose My Profile.
- In the 1Password apps, select icon your account or collection at top of the app, then choose Manage Accounts. Choose your account, then select Linked to Your Account.
Linking apps and browsers
You must use a linked app or browser to sign in to 1Password with a passkey and authorize additional apps and browsers to sign in the same way.
When you link a new app or browser to your account, you’ll be asked to provide a randomly generated alphanumeric verification code from an existing linked app or browser to prove the additional app or browser can also be linked.
After you enter the verification code, 1Password securely transfers a credential bundle from your existing linked app or browser to the new app or browser. The new app or browser uses the bundle to sign in to your 1Password account, register itself as a linked app or browser, and encrypt the credential bundle with its own device key.
If successful, your new app or browser will be linked to your account. Otherwise, the process begins again when your existing linked app or browser generates a new verification code.
| Feature | Traditional unlock | Passkey unlock |
|---|---|---|
| Relies on security of approved devices | No | Yes |
| Recovery method | Emergency Kit | Recovery code |
| Phishing resistance | Limited | Robust |