9 Unlock with a passkey or single sign-on
As an alternative to the sign-in method described in chapter “A deeper look at keys,” it’s also possible to sign in to 1Password with a passkeyA credential with which you authenticate to a server. Unlike a password, the passkey isn’t sent to the server to authenticate. Instead, the passkey signs a challenge the server provides to your device. This process is also known as WebAuthn or FIDO2 authentication. or single sign-on (SSO)In the setting of a company or another organization, when you are provided with a single set of username, password, or other authentication factors to log in to services that company or organization provides for you. It’s one of the methods that can be used to sign in to 1Password. provider.
Anyone can create an account that uses a passkeyA credential with which you authenticate to a server. Unlike a password, the passkey isn’t sent to the server to authenticate. Instead, the passkey signs a challenge the server provides to your device. This process is also known as WebAuthn or FIDO2 authentication. for authenticationThe process of one entity proving its identity to another. Typically the authenticating party does this by proving to the verifier that it knows a particular secret that only the authenticator should know.. When you set up an account this way, you provide your account’s passkey to unlock 1Password instead of an account passwordSomething you must remember and type when unlocking 1Password. It’s never transmitted from your devices. Previously known as Master Password. and Secret KeyA randomly generated user secret key that is created upon first signup. It’s created and stored locally. Along with the user’s account password, it’s required both for decrypting data and for authenticating to the server. The Secret Key prevents an attacker who has acquired remotely stored data from attempting to guess a user’s account password. Previously known as the Account Key..
Companies that use 1Password can configure unlock with SSOIn the setting of a company or another organization, when you are provided with a single set of username, password, or other authentication factors to log in to services that company or organization provides for you. It’s one of the methods that can be used to sign in to 1Password. for groups in their organization. When a user signs in with SSO, they sign in with the username, password, and other authenticationThe process of one entity proving its identity to another. Typically the authenticating party does this by proving to the verifier that it knows a particular secret that only the authenticator should know. factors required by their SSO provider instead of using their account passwordSomething you must remember and type when unlocking 1Password. It’s never transmitted from your devices. Previously known as Master Password. and Secret KeyA randomly generated user secret key that is created upon first signup. It’s created and stored locally. Along with the user’s account password, it’s required both for decrypting data and for authenticating to the server. The Secret Key prevents an attacker who has acquired remotely stored data from attempting to guess a user’s account password. Previously known as the Account Key. to authenticate to 1Password. 1Password accepts proof of authorization from the SSO provider as authentication.
9.1 Unlocking without an account password
We designed passkeyA credential with which you authenticate to a server. Unlike a password, the passkey isn’t sent to the server to authenticate. Instead, the passkey signs a challenge the server provides to your device. This process is also known as WebAuthn or FIDO2 authentication. and SSOIn the setting of a company or another organization, when you are provided with a single set of username, password, or other authentication factors to log in to services that company or organization provides for you. It’s one of the methods that can be used to sign in to 1Password. unlock to work similarly to signing in with an account passwordSomething you must remember and type when unlocking 1Password. It’s never transmitted from your devices. Previously known as Master Password. and Secret KeyA randomly generated user secret key that is created upon first signup. It’s created and stored locally. Along with the user’s account password, it’s required both for decrypting data and for authenticating to the server. The Secret Key prevents an attacker who has acquired remotely stored data from attempting to guess a user’s account password. Previously known as the Account Key. in that both methods set up a process that uses Secure Remote Password (SRP)A method for both a client and server to authenticate each other without either revealing any secrets. In the process, they also agree on an encryption key to be used for the current session. We’re using Version 6 with a modified key derivation function. in a similar way. On devices where a user signs in with a passkey or SSO, 1Password clients store a device keyA cryptographic key stored on a 1Password client that uses single sign-on (SSO). It’s used to decrypt the credential bundle it receives from the server upon successful sign in. See SSO. Each device key is uniquely and randomly generated, and never leaves the device on which it was created. To enroll a new device on a passkey or SSO-enabled account, the user must authenticateThe process of one entity proving its identity to another. Typically the authenticating party does this by proving to the verifier that it knows a particular secret that only the authenticator should know. first then authorize the new device using a previously enrolled device.
A cryptographic key stored on a 1Password client that’s using single sign-on (SSO). It’s used to decrypt the credential bundle it receives from the server upon successful sign in.
With passkeyA credential with which you authenticate to a server. Unlike a password, the passkey isn’t sent to the server to authenticate. Instead, the passkey signs a challenge the server provides to your device. This process is also known as WebAuthn or FIDO2 authentication. and SSOIn the setting of a company or another organization, when you are provided with a single set of username, password, or other authentication factors to log in to services that company or organization provides for you. It’s one of the methods that can be used to sign in to 1Password. unlock, your first device randomly generates an SRP-\(x\)The client secret, 𝑥, used by the Secure Remote Password (SRP) protocol. Derived from the user’s account password and Secret Key. and Account Unlock Key (AUK)Key used to decrypt a user’s personal key set. It’s derived from the user’s account password and Secret Key. Previously known as the Master Unlock Key.. They’re stored on our servers, encrypted by the device key that’s only stored on the device that created it. This combination of the SRP-𝑥 and AUK is called a credential bundleA bundle containing a randomly generated SRP-𝑥 and Account Unlock Key (AUK), used to sign in to 1Password when signing in with single sign-on (SSO). It’s encrypted by the device key and stored on 1Password servers. See also Device Key.
Consists of a randomly generated SRP-𝑥 and AUK, it’s used to sign in to 1Password with single sign-on (SSO). It’s encrypted by the device key and stored on 1Password servers.
Figure 9.1: Passkey sign in. The solid purple arrows illustrate the authorization of a device when a user performs a passkey sign-in, green arrows illustrate the return of the credential Bundle to the user, and dashed golden arrows illustrate the user’s authentication with SRP to use 1Password.
Figure 9.2: Single sign-on sign in. The solid purple arrows indicate a user signing in to their SSO provider. The solid red arrow shows the authorization the SSO provider sends to the 1Password server. The green arrows show the credential bundle being returned to the user. The dashed golden arrows show the user authenticating with SRP to use 1Password. This diagram is based on the OpenID Connect SSO authorization flow. For some SSO providers, the destinations of certain arrows may be slightly different.
9.1.1 Authorization and the credential bundle
Authorization to obtain the credential bundleA bundle containing a randomly generated SRP-𝑥 and Account Unlock Key (AUK), used to sign in to 1Password when signing in with single sign-on (SSO). It’s encrypted by the device key and stored on 1Password servers. See also Device Key happens as follows:
Passkey unlock The server authenticatesThe process of one entity proving its identity to another. Typically the authenticating party does this by proving to the verifier that it knows a particular secret that only the authenticator should know. your passkeyA credential with which you authenticate to a server. Unlike a password, the passkey isn’t sent to the server to authenticate. Instead, the passkey signs a challenge the server provides to your device. This process is also known as WebAuthn or FIDO2 authentication. and authorizes you.
SSO unlock During sign-in, the SSOIn the setting of a company or another organization, when you are provided with a single set of username, password, or other authentication factors to log in to services that company or organization provides for you. It’s one of the methods that can be used to sign in to 1Password. provider tells 1Password servers you’ve successfully authorized. Typically, the SSO provider returns an authorization token to your device, which forwards it to the 1Password server.
In return for a valid proof of authorization, our servers return a credential bundleA bundle containing a randomly generated SRP-𝑥 and Account Unlock Key (AUK), used to sign in to 1Password when signing in with single sign-on (SSO). It’s encrypted by the device key and stored on 1Password servers. See also Device Key encrypted with the device keyA cryptographic key stored on a 1Password client that uses single sign-on (SSO). It’s used to decrypt the credential bundle it receives from the server upon successful sign in. See SSO. After the 1Password client decrypts the SRP-\(x\)The client secret, 𝑥, used by the Secure Remote Password (SRP) protocol. Derived from the user’s account password and Secret Key. and AUKKey used to decrypt a user’s personal key set. It’s derived from the user’s account password and Secret Key. Previously known as the Master Unlock Key. with the device key, it authenticates as described in “A deeper look at keys. After successful sign-in with a passkey or an SSO provider, 1Password behaves identically to when an account passwordSomething you must remember and type when unlocking 1Password. It’s never transmitted from your devices. Previously known as Master Password. and Secret KeyA randomly generated user secret key that is created upon first signup. It’s created and stored locally. Along with the user’s account password, it’s required both for decrypting data and for authenticating to the server. The Secret Key prevents an attacker who has acquired remotely stored data from attempting to guess a user’s account password. Previously known as the Account Key. are used.
9.2 Linked apps and browsers
After you’ve successfully enrolled with a passkeyA credential with which you authenticate to a server. Unlike a password, the passkey isn’t sent to the server to authenticate. Instead, the passkey signs a challenge the server provides to your device. This process is also known as WebAuthn or FIDO2 authentication. or SSOIn the setting of a company or another organization, when you are provided with a single set of username, password, or other authentication factors to log in to services that company or organization provides for you. It’s one of the methods that can be used to sign in to 1Password., the app or browser you use is linked. The device you use stores a device keyA cryptographic key stored on a 1Password client that uses single sign-on (SSO). It’s used to decrypt the credential bundle it receives from the server upon successful sign in. See SSO and sets up a unique credential bundleA bundle containing a randomly generated SRP-𝑥 and Account Unlock Key (AUK), used to sign in to 1Password when signing in with single sign-on (SSO). It’s encrypted by the device key and stored on 1Password servers. See also Device Key. The first client used to signed in to 1Password – either for the first time or after a user has been restored – is a linked app (or browser) by default.
A client trusted to use SSO, by having set up a device key and created a corresponding credential bundle.
The first app or browser you use to sign in creates a new set of randomly generated values that form the credential bundleA bundle containing a randomly generated SRP-𝑥 and Account Unlock Key (AUK), used to sign in to 1Password when signing in with single sign-on (SSO). It’s encrypted by the device key and stored on 1Password servers. See also Device Key. Any additional apps or browsers you enroll need approval. They’re approved by successfully authenticating to the SSOIn the setting of a company or another organization, when you are provided with a single set of username, password, or other authentication factors to log in to services that company or organization provides for you. It’s one of the methods that can be used to sign in to 1Password. provider, consenting to the sign-in with an existing linked app, and providing a code that’s randomly generated by the linked device.
When you approve a sign-in within your linked app or browserA client trusted to use SSO by having set up a device key and created a corresponding credential bundle., it sends a copy of the credential bundleA bundle containing a randomly generated SRP-𝑥 and Account Unlock Key (AUK), used to sign in to 1Password when signing in with single sign-on (SSO). It’s encrypted by the device key and stored on 1Password servers. See also Device Key to the new device via an end-to-end (E2E)Data is only encrypted or decrypted locally on the users’ devices with keys that only the end users possess. This protects the data confidentiality and integrity from compromises during transport or remote storage. encrypted channel. The new app protects the credential bundle with its own unique device keyA cryptographic key stored on a 1Password client that uses single sign-on (SSO). It’s used to decrypt the credential bundle it receives from the server upon successful sign in. See SSO. The device key is critical for the overall security of SSOIn the setting of a company or another organization, when you are provided with a single set of username, password, or other authentication factors to log in to services that company or organization provides for you. It’s one of the methods that can be used to sign in to 1Password.. Appendix A has more information about device key security and storage.
9.3 Linking other devices
When you set up a new app or browser, the credential bundleA bundle containing a randomly generated SRP-𝑥 and Account Unlock Key (AUK), used to sign in to 1Password when signing in with single sign-on (SSO). It’s encrypted by the device key and stored on 1Password servers. See also Device Key the device uses is obtained from a previously linked clientA client trusted to use SSO by having set up a device key and created a corresponding credential bundle.. For your existing device to send the credential bundle to your new device, a trusted channel is set up between the two devices. For reliability, that channel is facilitated by 1Password servers and set up in such a way that 1Password can’t see what the two devices are sending each other.
The trusted channel between two devices uses the CPaceA modern PAKE using a shared secret, defined by Abdalla, Haase, and Hesse (CPace, a balanced composable PAKE). cryptographic protocol. With CPace, two devices with knowledge of a six-character code can authenticateThe process of one entity proving its identity to another. Typically the authenticating party does this by proving to the verifier that it knows a particular secret that only the authenticator should know. to one another and agree on a shared encryption key. That encryption key is used to encrypt the credential bundleA bundle containing a randomly generated SRP-𝑥 and Account Unlock Key (AUK), used to sign in to 1Password when signing in with single sign-on (SSO). It’s encrypted by the device key and stored on 1Password servers. See also Device Key when it’s sent from a linked device to a new device which makes the contents impossible to decrypt for anyone observing the encrypted messages. In the event a malicious server attempts to interfere in the key agreement process, 1Password clients detect the presence and abandon participation.
A modern PAKE using a shared secret, defined by Abdalla, Haase, and Hesse (CPace, a balanced composable PAKE.)17
With these building blocks, the process shown in Figure 9.3 and annotated below describes how a credential bundleA bundle containing a randomly generated SRP-𝑥 and Account Unlock Key (AUK), used to sign in to 1Password when signing in with single sign-on (SSO). It’s encrypted by the device key and stored on 1Password servers. See also Device Key safely travels between two devices.
Figure 9.3: An overview of the protocol by which a linked app or browser is added, showing the communication between the linked client, new device, and 1Password server. Any SSO providers that perform initial sign-in are not depicted.
Line 1: The parties involved are a new device, the server, and a linked app or browserA client trusted to use SSO by having set up a device key and created a corresponding credential bundle.. Your SSOIn the setting of a company or another organization, when you are provided with a single set of username, password, or other authentication factors to log in to services that company or organization provides for you. It’s one of the methods that can be used to sign in to 1Password. provider, if applicable, also plays a small role initially but they’re omitted from the figure for simplicity.
Line 2: You sign in to 1Password with a passkeyA credential with which you authenticate to a server. Unlike a password, the passkey isn’t sent to the server to authenticate. Instead, the passkey signs a challenge the server provides to your device. This process is also known as WebAuthn or FIDO2 authentication. or SSO.
Line 3: The 1Password server sends a notification to all existing linked apps and browsers. They’ll notify you that a new device wants to be set up and you need to approve the connection on the existing device. If you choose to continue, you’ll have to sign in on the existing device unless you already have an active session.
Lines 4-7: Your existing device initiates a trusted channel with the new device using CPaceA modern PAKE using a shared secret, defined by Abdalla, Haase, and Hesse (CPace, a balanced composable PAKE).. The existing device then generates a 6-character setup code, uses it to create a CPace handshake \(hs\), and sends the handshake to the 1Password server.
Lines 7-10: Your new device fetches the CPace handshake and asks you to enter your setup code. After you enter the setup code, your device computes a CPace reply \(r\) from information in both the CPace handshake and the setup code, then sends it to the 1Password server.
Both devices use the shared values to compute a shared session key \(k_s\).
Lines 11-13: Before the keys are used, it’s important to verify the keys have been exchanged correctly. After all, you may have accidentally entered the wrong setup code or there may have been something nefarious that tried to influence the messages sent between your devices.
To verify the keys, both devices compute an HMAC digest of the message they received from the other device using the key they both derived. They send these verification values to one another and verify whether the value computed by the other matches their own. If the values don’t match on either device they break off the setup process and start over again.
Lines 13-18: Your linked app or browser encrypts the credential bundle with (a derivative of) the session key established previously and sends them to your new device via the 1Password server. Your new device derives the decryption key the same way and decrypts the credential bundleA bundle containing a randomly generated SRP-𝑥 and Account Unlock Key (AUK), used to sign in to 1Password when signing in with single sign-on (SSO). It’s encrypted by the device key and stored on 1Password servers. See also Device Key. Next, the device generates a random device keyA cryptographic key stored on a 1Password client that uses single sign-on (SSO). It’s used to decrypt the credential bundle it receives from the server upon successful sign in. See SSO, stores it, then encrypts the credential bundle with the device key. Your device stores the newly encrypted credential bundle on the 1Password server and completes the process to become a linked app or browser.
9.4 Quick on-device access with biometrics
The process described in Figure 9.2 requires that your device be online when unlocked. It’s possible for certain devices to get access to vault contents while offline if the user’s business account is configured to allow it. Offline access to vault contents is provided when a user successfully performs a biometric authenticationThe process of one entity proving its identity to another. Typically the authenticating party does this by proving to the verifier that it knows a particular secret that only the authenticator should know.. This is supported on Windows, Linux, macOS, iOS and Android using their respective platform’s biometric authentication.
When you unlock with biometrics, the credential bundleA bundle containing a randomly generated SRP-𝑥 and Account Unlock Key (AUK), used to sign in to 1Password when signing in with single sign-on (SSO). It’s encrypted by the device key and stored on 1Password servers. See also Device Key is used to decrypt vault contents locally so it can be accessed offline. Clients also keep track of a reauthentication token. This token is used to perform reauthentication with the 1Password server within a limited timeframe, without the client performing passkey unlock or reaching out to the SSO server. When an account administrator turns on biometric unlock, they temporarily delegate the responsibility of authenticating you to your device instead of your identity provider.
A reauthentication token is requested when you use biometrics to unlock your passkeyA credential with which you authenticate to a server. Unlike a password, the passkey isn’t sent to the server to authenticate. Instead, the passkey signs a challenge the server provides to your device. This process is also known as WebAuthn or FIDO2 authentication. or SSOIn the setting of a company or another organization, when you are provided with a single set of username, password, or other authentication factors to log in to services that company or organization provides for you. It’s one of the methods that can be used to sign in to 1Password.-enabled 1Password account. It’s guarded by the protections described in “Transport security” when it’s transferred from the 1Password server to your device.
On macOS, iOS and Android devices, quick biometric unlock is protected by the respective platform’s built-in secure elements. On Windows and Linux, the reauthentication token is stored in protected operating system memory while the 1Password app is running either when locked or unlocked. On the platforms that store the reauthentication token in memory, the token is lost when the app closes or restarts, so you need to sign in to 1Password again.