What is a passkey? Is it a file saved to a decice? Can it be on multiple devices? How do you set it up on your first device? What if you lose your device? Do you need your first device to add it to a second device? How is that different than a text field saved to a password manager?
A lot of your other questions depend on the service. Generally you can still opt to use a password+2FA instead even if you have PassKeys enabled so adding one on a second device would simply require logging in with the password first or authenticating from another device if the service supports it.
I don’t use 1Password so I can’t speak to their setup.
It’s much more secure on ‘less than trusted’ devices and for less than secure people.
Instead of having to type your password in on your friends laptop that may have a keylogger installed, you just type your username in and then do your fingerprint on your phone. That’s it; your phone verifies it’s you and then transmits the passkey over Bluetooth, so it can’t be phished or observed while you type it.
For less than secure people, you don’t have to convince them to use a password manager and stop writing their passwords on sticky notes. They just type in their username and do their fingerprint on their phone. It can’t be phished so even if someone is remotely controlling a victims computer the damage is limited to allowing access to a single account on that physical computer - they can’t take that passkey and use it anywhere else, unlike a password for an email account that’s used for online banking as well. They also can’t keylogger it and then log in after they’re disconnected from the victim.
It definitely is. A passkey in a TPM, for example, cannot leave a device. Also, passkeys can have phishing resistance that you cannot obtain with a password and most MFA solutions.
Where passkeys fall short is registering new devices and recovery. I’m not sure what 1Password’s solution is here.
Small nuance:
“Later this summer, you’ll see the option to participate in our telemetry system and help improve 1Password. You don’t need to take any action right now, and we won’t collect any usage data without your awareness and consent first. Participation will be optional for Individual and Family plan customers. And at this time, our telemetry system won’t be rolled out to any team or business using 1Password.”
Aka, it’s an opt-in that you can simply not opt-in to and if you don’t nothing changes and then it won’t be used on you.
And at this time, our telemetry system won’t be rolled out to any team or business using 1Password.
Uhh, what? If it’s opt-in why does it matter if team or business doesn’t have this? Different standards? To go through such lengths to explain this telemetry stuff to convince people, “Oh, no worries, yo! It’s OPT-IN! Trust us!” feels very dirty to me.
Business software has very different requirements. It’s much harder to implement stuff for them without breaking those requirements. Think compliances like (ISO) norms and laws regarding commercial businesses, contracts, or even the software being made to work and be administrated on a whole different scale. You can’t compare really…
While I agree it could go worse from here into a downwards spiral of enshitification, all I meant was that the title is a bit misleading into the other direction; making it sound like they would force telemetry onto users. If they wouldn’t say shit about this option, no one would sign up, even if they wouldn’t mind it. And basically, they’re explaining how they tried to make it as anonymous as possible and that’s it’s opt-in, which would also be a way to go if you legitimatly want to get data for improvement only. If that’s truly what they want, time will tell.
The moment it stops being optional I’m looking for a different password manager right away, I switched more complex and important things for similar reasons. But since my experience with them has been good, I’ll give them the benefit of the doubt for now.
For now. This is step one of enshittification. Step 2 is enabling it for new accounts by default. Step 3 is removing the ability for new accounts to turn it off. Step 4 is defaulting it on for legacy users, and step 5 makes it mandatory for everyone that isn’t paying for something.
Also the decision to exempt business and teams makes no business sense. Companies derive the lion’s share of their revenue from enterprise. If a company wants to optimize their product offering, you’d do so with your most desireable, profitable segment in mind. This just seems like a backwards decision.
I think more probably, they’re dogfooding it on the consumer segment and then after they’ve worked out the “oops, we shouldn’t have collected that bit of data” errors, they’ll move to include enterprise. But I’d guess that consumers are the guinea pigs here.
I use vaultwarden because I couldn't get the premium bitwarden to load on my self hosted bitwarden server, but same thing really. I still pay for premium bitwarden. It's worth it for such a great product.
main vault is a full offline database in keepassxc
I’m curious what your config looks like for this. How do you keep your db offline but accessible? Is it a restricted docker container? How do you access it when you’re not at home or on multiple machines (like a laptop)?
Offline as its not being synchronized into the cloud anywhere; if I need it elsewhere I just copy it manually from main OS. I could use some solution but its not worth efforts to my needs. What I keep in bitwarden is enough for my mobile needs
Dumb question but is there something you don’t like about the mobile keepass database editors? I practise similar vault seperation but I always just create a new temp keepass database for certain situations (work, school, etc) and just backup my main one
Not OP but I have my KeePass file on a locally hosted Nextcloud instance. Synced to multiple computers and phone but the Nextcloud server is only accessible at home LAN.
Passwords are the kind of data that don't belong in the cloud, in my opinion. Those companies are too juicy targets.
Nah. Its just a tried and true step of enshitification. Fingers crossed that bitwarden is already profitable so we still have a good cloud password manager…
Keep calm folks, they’re just not profitable right now. Unlike some of the smaller players with a viable business model, they just need to remain profit-driven until those profits arrive.
In that case, assuming I read you correctly, I have to disagree. Privacy and security companies cannot rely on advertising or telemetry to be profitable; doing so is counter and paradoxical to their standing as a security/privacy company.
Bitwarden seems to be doing just fine. 1Password should be taking cues from them, not advertising revenue
Come on - this is 1Password we are talking about; I think they’ve earned a little bit of goodwill given their past behaviour. Transparency is key. Keep in mind that they could do almost whatever they want without telling us.
If you're not willing to trust what they say about the anonymity of the telemetry system, or to opt out, then I think you wouldn't be happy trusting them with all your passwords in the first place!
If you're willing to stick to Safari, then I think using Apple Keychain is best, especially since they'll be adding sharing this year.
Yeah this is what I don’t get. They already hold your most precious secrets and now you don’t trust them with a telemetry system?! Seems an odd order of concerns to me.
Telemetry, even scrubbed, can provide enough meta data to de-anonomize the user. If the goal is to reduce your threat vectors, than it's a valid concern.
Given data breeches are increasing, the less data that is collected the better.
I’m happy with enpass myself for s few years now. it has all kind of sync options and wifi p2p sync if you want to be offline. they offer subscription shit, but luckily also a normal software license to buy.
You can use keepassXC and "self-host" your passwords on any cloud-storage you want (it's just a file after all), but if you are using 1Pass at the moment, I don't see an opt-in anonymized telemetry system as a reason to switch.
This seems transparent, well thought out, and opt-in. The headline concerned me but once I read the article this seems fine. I moved from LastPass to 1Password because of the horrible communication around breaches in the last few years.
I recently switched from Bitwarden to 1Password and don't regret it one bit. Their app is substantially improved over Bitwarden. Layout is significantly more intuitive and autofill works better than Bitwarden on iOS/macOS.
@Jeze3D@wet_lettuce I have demo 1 passwords for around a day and still not sure if I should make the switch. Is the extra secret code a usability issue compared to just the master password.
It's not for me, no. I guess it depends if you're going to be logging in on random computers frequently (I do not). I printed out a hardcopy of their "recovery kit" which has your secret code and put it in my firesafe. It's a nice extra layer of protection vs only a single master password which can be sniffed especially since it contains the credentials to my entire life.
Also I always have my phone on me which is logged in to 1Password, and I can view my secret key from there wherever I am.
Tough place for 1Password, who clearly want to be able to collect data to maintain a competitive edge, but have an audience of security conscious users who may not be comfortable with this. But as always transparency is appreciated.
It's also incredibly important to note that they are making this explicitly opt-in. So none of that 'dark pattern' mumbo jumbo with the tyranny of the default--where companies opt you in and most users dont realize they have to opt-out.
All in all they are going about this the right way it seems. The devil will be in the de-identifying technical details imo.
Huh? They are interested in improving their app - to do that, understanding what choices people make (which buttons do they press, which so they miss etc) is helpful. They’re not trying to monetise your behaviour for goodness sake, but give you a better experience.
Just leaving a comment here since I haven't seen anybody else mention it: participation is optional for Individual and Family plans, and at this time it will not be applied to Team and Business plans.
It is no doubt a good thing for them to at least try to be "transparent". I hope it is really their intention. I was a customer but I have migrated to selfhost Bitwarden (with Vaultwarden) already.
blog.1password.com
Active