This is a critical piece of the future. Apple ids and google chrome ecosystem are totally vendor locked and they have been willing to use their power to lock out developers, users and people in general who do things they disagree with. Regardless of moral reasons, this is a problem. Bot apple and google have targeted developers and users who are flagged by mistake or for criticizing these companies.
They will be providing software support for storing webauthn credentials along with integration into the FIDO passkey ecosystem, which I understand to be more or less webauthn with cross-device sync / login.
I’m curious to see an architecture discussion from 1Password to better understand what security tradeoffs they’ve made with their implementation.I think it’s a great step forward, but it still may not suffice as a single factor login for a lot of cases.
That’s not to say I won’t be happy storing a good chunk of my current credentials in 1Password. I’m just looking to better understand how this fits in the threat models I need to contend with.
Every time Passkeys comes up, I think it's important to point out it takes the FIDO dongle model where a private key that never left the device, is now is passed into the hands of either Google or Apple for management.
I mean I totally understand how it could be easier to use and manage, but it just kind of scares me.
I don't think it's quite right to say they never leave your device.
The page you linked says:
"To address the common case of device loss or upgrade, a key feature enabled by passkeys is that the same private key can exist on multiple devices. This happens through platform-provided synchronization and backup."
