1Password plans to become the first password manager without passwords
Password manager 1Password plans to become the first major password management service that does not require passwords for unlocking user password databases. The company's answer to passwords is passkey, a technology that has picked up speed in recent time with the addition of support in multiple popular operating systems.
While 1Password users may already sign-in to the service using biometric authentication systems, these systems, including Windows Hello, Face ID, or Android Fingerprint, still rely on passwords in the background.
How Passkeys work
Passkeys work similarly to biometric authentication systems for the user. Users do not have to select passwords during setup of accounts or type passwords when they sign-in. Instead, they use functionality provided on the device, e.g. a smartphone or PC, to authenticate using the same biometric authentication options. Unlike current biometric systems, passkeys eliminate the underlying passwords.
Passkeys use public-key cryptography instead. It would go too far to explain the technical details of the authentication technology, but at its core, it is based on public and private key pairs. The public key may be shared with sites and services, whereas the private key needs to be kept secure and a secret. Using the private key, it is possible to decrypt data that is encrypted with the paired public key.
What makes the system more secure than traditional password systems is that sites and apps do not have access to the private key. This also means that certain types of malicious attacks, including phishing attacks, have no effect on passkey authentication.
The majority of Internet sites and apps do not support passkeys at this stage, but support will increase in the coming years. When a user visits a site or opens an app that supports passkeys, the following happens: the user selects to create an account on the site and picks the passkeys option. The website or app then asks the user to confirm the authenticator, which can be any device or app that supports passkey generation.
The authenticator generates a unique public and private key pair for the site in question locally on the device. The public key is then sent to the website or app, while the private key remains on the device it was generated on. To sign-in, users use the authenticator on their device to authenticate using their private key locally on the device. The info is then submitted to the site or app, verified there, and if everything matches, the sign-in request is accepted.
Who needs password managers in the future?
The main purpose of password managers, such as KeePass, Bitwarden or 1Password, is the storing of passwords and other sensitive data. Passwords will play an important role for a long time, even as passkeys rise to prominence. Not all sites and apps will support passkeys, which means that users will need to use passwords in the future, even as the bulk of sites and apps may support passkeys.
Passkeys do not necessarily require a password manager, but password managers may become authenticators. It is a natural transformation, or feature addition, so that passkey information is stored in the encrypted database alongside classic passwords and other user data.
1Password published an explainer video on using passkeys with 1Password. It demonstrates the core functionality of signing-in using passkeys.
Passwords won't go away anytime soon, and it is as important as ever to make sure they are secured properly and do not fall into the wrong hands. 1Password has not revealed when it plans to launch passkeys support in its password manager. It is likely that other password manager will also implement passkeys support in the near future.
It is unclear if 1Password plans to rename its business to 0Password as a consequence.
Now You: will you use passkeys when they become available?
How long before it is hacked?
It’s definitely not the first, Dashlane, Google, Microsoft, and Apple all already offer passkey solutions.
Bad choice of subject heading?
However, that is useless if it only works for phones. Hopefully, your subject heading means
“1Password plans to become the first cross-platform password manager without passwords”
If it does happen, it also needs to take care of the sites signed up using already disposed disposable email address or I’m in trouble?
A few questions.
– How do you back up the private key which is on your device ?
– How do you prevent a thief from accessing your accounts if he steals your laptop or phone ?
– Do you have anything to do at all to log into an account protected with a passkey ? 1Password suggests you need to pass a biometric check : a fingerprint or a face picture. I thought biometric identification was considered weak, and not to be relied upon.
– 1Password talks about “confirming the authenticator”, which sounds to me as clear as “bumbling the podopractor”. What the heck does that mean ? And when do you have to bumble the podopractor ? Only once, when creating the account, or each time you log in ?