Security and privacy

About the security of unlocking 1Password with a passkey

Learn how 1Password uses passkeys to secure your 1Password account.

The traditional 1Password security model includes an account password and a Secret Key for authentication. When you unlock 1Password with a passkey, your passkey is used to authenticate you to our servers.

Technical design

Device keys

When you choose to unlock your 1Password account with a passkey, each 1Password client generates a unique device key. 1Password uses this key to decrypt and encrypt account credentials, identify the device, and help with the enrollment of additional devices. The device key remains on your device, and is used to gain access to an account unlock key as described in the Security Design white paper.

When enabled, certain platforms can use device biometric security features to protect the device key in hardware when you unlock with a passkey.

1Password platformBiometric device key protection
MacYes, on devices with a Apple silicon or a T2 chip
iOSYes, using Touch ID or Face ID
WindowsNo
AndroidYes, using biometric unlock
LinuxNo
1Password browser extensionNo
1Password.comNo

Trusted devices

A trusted device is one you’ve used to sign in to 1Password – a device that 1Password can identify as yours. You can use a trusted device to verify your identity on another device or browser, then grant it trusted status by following the trusted device enrollment steps.

The 1Password server stores an additional encrypted version of your account unlock key for each registered device. You can see a list of trusted devices in your profile on 1Password.com and in the 1Password apps.

Trusted device enrollment

You must use a trusted device to sign in to 1Password with a passkey and authorize additional devices to sign in the same way.

When you enroll a new device, you’ll be asked to provide a randomly generated alphanumeric verification code from an existing trusted device to prove the additional device can also be trusted.

After you enter the verification code, 1Password securely transfers a credential bundle from your existing trusted device to the new device. The new device uses the bundle to sign in to your 1Password account, register itself as a trusted device, and encrypt the credential bundle with its own device key.

If successful, your new device is registered as a trusted device. Otherwise, the process begins again when your existing trusted device generates a new verification code.

FeatureTraditional unlockPasskey unlock
Relies on security of approved devicesNoYes
Recovery methodEmergency KitRecovery code
Phishing resistanceLimitedRobust

Learn more

Still need help?

If this article didn't answer your question, contact 1Password Support.

Published: