The traditional 1Password security model includes an account password and a Secret Key for authentication. When you unlock 1Password with a passkey, your passkey is used to authenticate you to our servers.
Technical design
Device keys
When you choose to unlock your 1Password account with a passkey, a unique device key is generated by each device that signs in to the account. 1Password uses this key to decrypt and encrypt account credentials, identify the device, and help with the trusted device enrollment. The device key remains on your device and is used to gain access to an account unlock key as described in the Security Design white paper.
When enabled, certain platforms can use device security features to protect the device key in the hardware itself.
| 1Password platform | Biometric device key protection |
|---|---|
| Mac | Yes, on Macs with Apple silicon or the Apple T2 Security Chip |
| iOS | Yes, with Touch ID or Face ID |
| Windows | No |
| Android | Yes, with biometric unlock |
| Linux | No |
| 1Password browser extension | No |
| 1Password.com | No |
Macs without Apple silicon or the T2 chip lack the hardware required for device key protection. On those devices, the device keys don’t have hardware protection. Learn more about the Secure Enclave.
To use 1Password on ChromeOS, you can use 1Password.com and the 1Password browser extension. Neither of these offer biometric or specific hardware protections for device keys. However, ChromeOS software and devices have been designed to mitigate certain risks related to the storage of device keys. Learn more about ChromeOS security.
Trusted devices
When you set up unlock with a passkey, the device you use becomes your first trusted device. You can use this trusted device to verify your identity when you sign in to your account on another device or browser.
On a trusted device, you don’t need to enter a verification code each time you unlock 1Password. You can deauthorize the device to remove it from your trusted devices.
The 1Password server stores an additional encrypted version of your account unlock key for each trusted device. To see a list of your trusted devices:
- On 1Password.com, select your name in the top right and choose My Profile.
- In the 1Password apps, select icon your account or collection at top of the app, then choose Manage Accounts. Choose your account, then select Trusted Devices and Browsers.
Trusted device enrollment
You must use a trusted device to sign in to 1Password with a passkey and authorize additional devices to sign in the same way.
When you enroll a new device, you’ll be asked to provide a randomly generated alphanumeric verification code from an existing trusted device to prove the additional device can also be trusted.
After you enter the verification code, 1Password securely transfers a credential bundle from your existing trusted device to the new device. The new device uses the bundle to sign in to your 1Password account, register itself as a trusted device, and encrypt the credential bundle with its own device key.
If successful, your new device is registered as a trusted device. Otherwise, the process begins again when your existing trusted device generates a new verification code.
| Feature | Traditional unlock | Passkey unlock |
|---|---|---|
| Relies on security of approved devices | No | Yes |
| Recovery method | Emergency Kit | Recovery code |
| Phishing resistance | Limited | Robust |