Use a unique QR code to sign in to your 1Password account on a new device. After you scan your QR code, you’ll be signed in without entering your account password or Secret Key. If you unlock 1Password with SSO or a passkey, you won’t need to provide a verification code from a linked app or browser.
Technical design
When you scan your QR code, 1Password creates an end-to-end encrypted channel between your new device and existing linked app or browser. 1Password uses the secure channel to transmit session information and key material.
Your QR code contains partial confidential key material for each channel which makes sure they can’t be used later or intercepted by a malicious server.
While QR codes contain time-bound session information like pairing credentials, you have to enter a confirmation code or accept a prompt to confirm your intent to pair your devices.
Security model
The channels 1Password creates between your devices are protected by Noise, a framework for cryptographic protocols. 1Password keeps these channels cryptographically separate for different QR codes and future uses to prevent messages from being mixed, whether accidental or malicious.
Keys are never reused. 1Password generates all exchange keys as needed and stores them only in memory to prevent pre-exchange compromise. New keys used to reconnect devices in the future are rolled over after each exchange. Pre-shared keys (PSK) make sure historical communication can’t be decrypted in the future, even by someone with access to a quantum computer.
Risk considerations
This sign-in process is extremely difficult to phish or manipulate because of the QR code design and the fact you need to verify your intent to pair your devices. 1Password will never reveal credentials to a new device, illegitimate or not, without asking you first.