The traditional 1Password security model includes an account password and a Secret Key for authentication. When you unlock 1Password with a passkey, your passkey is used to authenticate you to our servers.
When you choose to unlock your 1Password account with a passkey, each 1Password client generates a unique device key. 1Password uses this key to decrypt and encrypt account credentials, identify the device, and help with the enrollment of additional devices. The device key remains on your device, and is used to gain access to an account unlock key as described in the Security Design white paper.
When enabled, certain platforms can use device biometric security features to protect the device key in hardware when you unlock with a passkey.
|Biometric device key protection
|Yes, on devices with a Apple silicon or a T2 chip
|Yes, using Touch ID or Face ID
|Yes, using biometric unlock
|1Password browser extension
A trusted device is one you’ve used to sign in to 1Password – a device that 1Password can identify as yours. You can use a trusted device to verify your identity on another device or browser, then grant it trusted status by following the trusted device enrollment steps.
The 1Password server stores an additional encrypted version of your account unlock key for each registered device. You can see a list of trusted devices in your profile on 1Password.com and in the 1Password apps.
Trusted device enrollment
You must use a trusted device to sign in to 1Password with a passkey and authorize additional devices to sign in the same way.
When you enroll a new device, you’ll be asked to provide a randomly generated alphanumeric verification code from an existing trusted device to prove the additional device can also be trusted.
After you enter the verification code, 1Password securely transfers a credential bundle from your existing trusted device to the new device. The new device uses the bundle to sign in to your 1Password account, register itself as a trusted device, and encrypt the credential bundle with its own device key.
If successful, your new device is registered as a trusted device. Otherwise, the process begins again when your existing trusted device generates a new verification code.
|Relies on security of approved devices