1Password passkeys – Analysis of sign-ups and logins with passkeys: Best practices from 1Password
This article series aims to provide a systematic overview of the passkey process and user experience for different companies as they move towards a password-free world. While the goal is to improve user-friendly and secure authentication, each company has its own unique way of implementing passkeys.
- Availability since June 6, 2023
- 1Password only serves as a storage and management system for passkeys created by its users on different passkey-ready websites
- Passkeys created without utilizing 1Password, however, are stored within the service-side environments of those websites
- Passkey storage and retrieval only work through the 1Password beta release browser extension
- 1Password (if activated) is always prioritized over platform-specific features for storing created passkeys(e.g., Apple iCloud Keychain or Google Password Manager)
- Platform operators open their platform-internal systems and functionalities to third-party providers and allow alternative storage locations for passkeys outside their own infrastructure
- 1Password beta release browser extension is available only for desktop devices
- Extension allows for full passkey synchronization across major platforms and browsers on desktop devices (including Windows devices)
- No support of 1Password passkeys in the 1Password beta release app for mobile devices (currently under development)
- Support of 1Password passkeys in the 1Password app expected in iOS 17
- No synchronization between 1Password beta release browser extension on desktop and 1Password beta release app on mobile devices for passkeys at the moment
- Retrieving a passkey stored in 1Password doesn’t require reconfirming biometric data (as long as 1Password is activated)
- Conditional UI feature is not yet implemented
- The term "passkeys" is used along with the official FIDO passkey logo
More and more companies from a wide range of industries are stepping into a password-free world and implement passkeys. Through this series of articles, we aim to provide a comprehensive overview of the passkey user experience of those companies. This should enable you to incorporate these findings and enhance your product login accordingly. In each article, we focus on a single company. Today, we dive into 1Password. Since June 6, 2023, passkeys created on websites can be stored and retrieved using the 1Password beta release browser extension for desktop devices on major platforms and browsers. The rollout of 1Password passkeys is a game-changing milestone on the way to a seamless cross-device usage and full synchronization between all platforms. Platform providers like Apple and Google fully support this approach as well. They incorporate the functionality of password management tools like 1Password directly into their operating systems. This not only allows users to store passkeys in alternative locations beyond the platform's native storage features but also enables password managers to transmit their customers towards a password-free world.
- Status of the analysis is June 2023. Passkey features are subject to change by companies on an ongoing basis.
- Please refer to the use cases to find the devices we used for the analysis.
- The terms "1Password beta release browser extension" and "1Password" are often used interchangeably in reference to the browser extension.
2. Key insights from 1Password analysis
In this section, we present the most important insights we have gained from the analysis of 1Password passkeys.
2.1 Highlights of 1Password passkeys implementation
2.1.1 Sophisticated passkey storage functionality
When the 1Password beta release browser extension is active, saving the created passkey is always prioritized within 1Password, rather than using the platform-specific passkey management features. This is because 1Password aims to encourage users to store as many passkeys as possible within their password manager. If users were initially given the option to store the passkey in a platform-specific passkey manager, such as Apple iCloud Keychain, the likelihood of subsequently selecting 1Password as an additional storage option would be significantly reduced. Consequently, the conversion and traction for 1Password passkeys would diminish, impacting their relevance.
2.1.2 Easy passkey retrieval and passkey login
Once a passkey has been stored via 1Password, it can be retrieved very easily by the user, as 1Password detects whether an account with passkey has been stored for this website. The retrieval of the passkey can be triggered with a few clicks. It is particularly noteworthy that the user doesn’t have to verify his biometric data again when retrieving it. This means that the biometric scan is only required during creation, which makes the login process with 1Password extremely user-friendly.
2.1.3 Seamless 1Password beta release browser extension synchronization
The 1Password beta release browser extension offers seamless synchronization, allowing passkeys to be synced and retrieved across different platforms, including previously incompatible ones like Apple and Windows. This is the most seamless synchronization we came across so far, putting pressure on major tech players to integrate similar functionalities by default into their passkey management features.
2.1.4 Smart passkey management
1Password detects for which websites a passkey has already been created and lists them in the 1Password beta release browser extension as well as in the normal 1Password browser extension/app. The detection includes the creation timestamp. Also, 1Password uses the official passkey icon to clearly indicate that it is a passkey. If the user has multiple accounts for a website stored in 1Password, it is possible to select for which account the passkey should be created.
2.2 Drawbacks of 1Password passkeys implementation
2.2.1 No synchronization with mobile devices
At the moment, the usage of 1Password passkeys is limited to the beta release browser extension on desktop devices. The functionality to save and utilize passkeys with the beta release app on mobile devices is not yet available. Consequently, there is no synchronization of saved passkeys between desktop and mobile devices at this time. However, according to 1Password, they are currently working on developing this feature.
2.2.2 Inconvenient Conditional UI functionality
Conditional UI leverages the autofill function passkeys provide. It automatically prefills passkeys as soon as the user clicks on the username input field. This means that users no longer must search for their credentials manually (not even usernames!), as they are already stored in the device / browser and are automatically pre-filled. When websites support Conditional UI, retrieving a passkey created through 1Password can be inconvenient. The issue arises when multiple passkeys for different accounts have been stored for the same website, both in the platform-specific password manager and in 1Password. This creates a problem where the dropdown menus overlap, and the platform-specific password manager takes priority, making it challenging for users to select the 1Password account. However, if only one passkey has been saved in 1Password for the website, users can click on the suggested passkey in the 1Password dropdown menu, but they still need to click the corresponding login button again.
2.2.3 Different user experience in Chrome and Safari
If you have enabled the beta release browser extension of 1Password but prefer to store the generated passkey using the platform's internal storage features rather than the extension itself, there are notable differences in the user experience between Chrome and Safari. In Chrome, the familiar passkey flow is initiated, allowing you to create a passkey after dismissing the automatically appearing 1Password pop-up. However, in Safari, the passkey flow is not triggered, preventing the creation of a passkey. This distinction could be attributed to varying implementations of 1Password passkeys or differing strategies employed by platform operators to accommodate third-party providers and password managers.
2.2.4 Challenging user communication
1Password has made an official announcement regarding the rollout of passkeys, and users who are unfamiliar with this feature or want more detailed information can refer to their documentation. However, in the 1Password beta release browser extension, there is currently no specific information or explanation provided about passkeys. It is possible that 1Password assumes that users who install the beta release extension to utilize passkeys are experienced users already familiar with this technology. Therefore, the term "passkeys” is used without further elaboration in the beta release browser extension.
3. Analysis of the login process
To make the analysis of 1Password passkeys as comprehensive as possible, we tested the login process with several device-browser-combinations. We have recorded the outcomes in the following use cases. To better understand the use cases, please read through the conceptual definitions of passkeys below before jumping into the use cases.
3.1 Conceptual definitions
3.1.1 Creation of passkeys vs. storage of passkeys
The creation of passkeys refers to the process of generating a passkey that provides access to specific accounts or services through biometric authentication. 1Password only serves as a storage and management system for passkeys created by its users on different passkey-ready websites. The role of 1Password is only to store and synchronize created passkeys across devices using its beta release browser extension. By storing passkeys in 1Password, users can access them on any desktop device with the 1Password beta release browser extension activated. To access the passkey stored in 1Password, the user needs to log in to the 1Password beta release browser extension using the corresponding 1Password account.
3.2 Tested cases
Note that we have only performed the use cases with passkey-ready devices (e.g., no iPhone prior to iOS 16.0, no MacBook prior to macOS Ventura, no Windows device prior to Windows 10). Also, for testing purposes we used different services that support passkeys (e.g., Passkeys.eu, WebAuthn.io, and Shopify) as well as different accounts.
In this use case, we have tested creating a passkey with the 1Password desktop app open. Please note that this is the normal 1Password version and not the beta version.
Since 1Password passkeys are only available in the beta version, we encountered the normal passkey flow for Apple devices, which has already been described in detail in our analyses of eBay, Google, Shopify and KAYAK passkeys.
Here, we performed the same test as in the use case above. Instead of Safari, we used Chrome this time. Here, too, we encounter the already familiar passkey flow.
Now, to test 1Password passkeys properly, we installed the 1Password beta release browser extension for Safari and Chrome on our MacBook.
Below you’ll find a detailed installation guide for Safari and Chrome.
Safari installation guide
1. Close the normal 1Password desktop app or stop using the normal 1Password browser extension
2. Go to 1Password beta releases: https://support.1password.com/betas/#install-a-beta-release-of-the-1password-browser-extension
3. Click on 1Password browser extension
4. Click on Safari
5. Install TestFlight
6. Click on Start Testing (TestFlight opens)
7. Click on Accept
8. Click on Install
9. Click on Open Safari Settings after installation
10. Set Checkbox next to 1Password for Safari
11. Click (2x) on Always Allow on Every Website
12. Success message in Safari
13. Click on I’m all set
Chrome installation guide
1. Close the normal 1Password app or stop using the normal 1Password browser extension
2. Go to 1Password beta releases: https://support.1password.com/betas/#install-a-beta-release-of-the-1password-browser-extension
3. Click on 1Password browser extension
4. Click on Add
5. Click on Add extension
6. Pin 1Password Beta
7. Success message in Chrome
8. Click twice on I’m all set
9. Success message in Chrome
10. 1Password in Chrome’s toolbar
After the 1Password beta release browser extension has been successfully installed, we can now start testing 1Password passkeys.
We tested this use case on WebAuthn.io. After entering the email address, the 1Password browser extension automatically suggests saving it in 1Password.
We dismissed this pop-up by left clicking outside the authentication mask and then clicked on "Register. This triggered a 1Password pop-up in the right corner of Safari (see 2nd screenshot below).
To clarify, it’s important to note that 1Password passkeys don’t refer to the passkeys used for logging into 1Password applications like the desktop app or browser extension. Instead, 1Password Passkeys simply represent a new way of storing passkeys.
When the 1Password browser extension is open, the interesting thing is that storing the created passkey in 1Password is always prioritized over the usual storage in the platform’s own password managers (here Apple iCloud Keychain).
After clicking on “Save” the passkey was saved in 1Password, which was also confirmed by a pop-up.
When going to your 1Password browser extension panel, you can find the stored passkey and its properties. Interestingly, the passkey can also be found in the normal 1Password desktop app.
In this use case, we logged in with the account that we created in the use case before. Please note that we tested this use case on a website that supports Conditional UI. For the sake of completeness, we also want to mention that we turned off the autofill feature provided by 1Password (2nd screenshot).
By clicking in the username field, 1Password detected that an account exists for this website. This is signaled by the appearing drop-down menu. When a website supports passkeys, the 1Password pop-up will display the official passkey icon next to the account details if a passkey already exists for that account. This feature is activated only when the website supports passkeys. In the case where a website supports passkeys but no passkey has been created for an account, 1Password will correctly detect this and the passkey icon will not be shown.
As mentioned, the Conditional UI feature is supported here, allowing for the use of a passkey stored in the Apple iCloud Keychain for another WebAuthn.io account. When logging in, this passkey is displayed as the first suggestion in the drop-down menu under the username field, as seen in the screenshot below. Consequently, the platform-specific password manager's drop-down menu consistently takes precedence. The passkey created in use case 3 using 1Password is listed below. This causes inconvenience for users, as they may encounter an unintended account that is challenging to dismiss, significantly impacting the overall user experience.
If Conditional UI is not supported and the 1Password beta release browser extension is open, only accounts saved in 1Password will be suggested. If the 1Password beta release browser extension is closed, then nothing is suggested.
After several attempts, we were able to click away the overlapping drop-down menu and select the account saved in 1Password.
Just as a side note, we want to mention that the Conditional UI feature doesn’t work properly because we still had to manually click on "Authenticate" after clicking on the 1Password account in the drop-down menu.
After clicking on “Authenticate”, the pop-up in the right corner in Safari signals that we are signed in with the passkey stored in 1Password.
It is worth noting that we don’t have to verify via biometrics again.
For MacBook, the tested 1Password passkey use cases work the same across all browsers that support the 1Password browser extension beta release.
During this use case, we examined the passkey flow while having the 1Password browser extension beta release activated, but with the intention of creating a passkey and storing it in the Apple iCloud Keychain. Upon clicking the "X" button in the top-right corner of the 1Password pop-up, we received a verification email prompting us to confirm our account (Passkeys.eu). Consequently, it was not possible to create a passkey in this way. While no passkey could be created this way, there is at least the fallback to log in via email magic link. For other passkey-ready websites, this fallback was not implemented in Safari. Although this is not a bug, it highlights the inconvenience experienced by users in specific cases where 1Password is consistently prioritized over platform-specific passkey managers, even when it may not be the desired choice at the moment.
In this use case, we have tested the same as in the use case before, but in Chrome.
After clicking „Sign up“ the familiar passkey flow was triggered. Next, we clicked on “Continue”.
In contrast to the previous use case, we were able to create a passkey after clicking the "X" button on the automatically appearing 1Password pop-up in the upper right corner.
To test the cross-device synchronisation of 1Password passkeys, we first created a new account on Shopify in Safari using a MacBook. We saved the credentials of this account (e.g., username and password) in the 1Password browser extension beta release, which was opened at that time.
After successfully saving our Shopify account in 1Password, the automatic Apple iCloud Keychain pop-up appeared. This means that same account can be stored in both 1Password and the Apple ecosystem at the same time. That said, it’s worth noting that the 1Password pop-up is triggered before the platform-specific password manager pop-up (identical for Google password manager in Chrome). We assume that 1Password thereby wants to ensure that accounts are preferentially stored and synchronised in the 1Password password manager.
For testing purposes, we clicked on “Not Now” at the Apple iCloud Keychain pop-up so that the account is only saved in 1Password.
To initiate the 1Password passkeys cross-device synchronisation test now, we created a Shopify passkey for our Shopify account. How Shopify implemented passkeys for their e-commerce shops can be explored in our analysis of Shopify passkeys.
After going through the entire Shopify passkey creation process, we clicked “Save” on the 1Password pop-up that appears at the top right of the browser. By doing so, the Shopify passkey was now stored in 1Password and the previous account information (username and password) was updated.
Now that the Shopify passkey is stored in 1Password, it can be retrieved on all devices on which the 1Password (beta release) is installed as a browser extension.
This marks the most seamless cross-device usage we have come across so far. The 1Password technology allows for the synchronization of passkeys across platforms that previously lacked compatibility for synchronization. For example, a passkey created on an Apple device and stored in 1Password can now be retrieved on a Windows device and vice versa.
However, synchronization with mobile devices doesn’t work yet because 1Password passkeys for mobile devices are not yet supported (see use case 7). One potential solution to this limitation would be to utilize the synchronization feature offered by platform-specific password managers such as Apple iCloud Keychain for Apple devices. However, it should be noted here that this synchronization only works for specific Apple device-browser combinations.
As demonstrated in previous use cases, the passkey created for a particular service (e.g., Shopify) is always also stored in the service’s settings. Unlike services such as Google, Shopify does not recognize or display the fact that a passkey has been stored in 1Password within its own passkey properties.
To test the actual cross-device synchronisation of passkeys stored in 1Password, we logged into the same account with an iPhone in Safari as in the previous use case.
Please note that no 1Password app (neither the normal nor the beta version) is installed on this iPhone.
As the passkey for this Shopify account is stored in the Shopify account settings as mentioned in the previous use case, Shopify detects that a passkey exists for this account.
After clicking on “Log in with passkey”, our iPhone couldn’t retrieve a passkey.
The support to store and retrieve passkeys in 1Password is currently being developed, which is why it is not yet available. As a result, synchronization of passkeys between desktop and mobile is not possible in 1Password at the moment.
After testing the iOS 17 beta release, we expect 1Password passkeys to be available in the 1Password iPhone app with the iOS 17 release.
After we have created a new KAYAK passkey via the MacBook in Safari and stored it in 1Password, we want to demonstrate the seamless cross-device usage between different platforms in this use case.
We intentionally retrieved the KAYAK passkey stored in 1Password using the 1Password beta release browser extension on a Windows device. Previously, passkey synchronization between Apple and Windows platforms was not possible, but this use cases shows the upgraded cross-platform functionality.
1Password, being one of the pioneers in the field of password managers, is at the forefront of driving the transition towards passwordless authentication with the introduction of 1Password passkeys. Since June 6, 2023, users have the ability to store and retrieve passkeys from passkey-ready websites using the 1Password beta release browser extension. Presently, this functionality is exclusively available on desktop devices. By exclusively utilizing the 1Password beta release browser extension for passkey storage, passkeys can be retrieved across various platforms and browsers where the extension is installed, enabling synchronization between platforms that were previously unable to sync through platform-specific password managers. This cross-device compatibility showcases 1Password's commitment to facilitating seamless usage and may motivate other tech players to adopt similar features. However, it's important to note that 1Password passkeys are not yet compatible with mobile devices, but according to 1Password, this is a feature currently in development.
Enjoyed this read?
Stay up to date with the latest news, strategies and insights about passkeys sent straight to your inbox!