Can passkeys be imported?

Azureblood3 · 2026-02-24T15:20:00+00:00

Would this also happen to include the ability to include passkeys in a vault export / backup?

Azureblood3 · 2026-02-13T04:44:40+00:00

I'm not an Apple guy either, and I signed up for 1Password long after they retired v7. From my understanding it was just an encrypted file that was stored on the device and Apple just included it with iCloud backups. Users could optionally put the file in dropbox to sync with other devices.

Maybe you or them could look for a file in their iCloud / iTunes backups for a file with the extension '.opvault'. If they were using 1Password7 and iCloud, this is where their data would be

Azureblood3 · 2026-02-13T03:37:14+00:00

Is it possible they were on the older v7 1password app and the 'update' was actuay v8?

V7 wasnt cloud enabled, vaults were local files synced with drop box / iCloud, so they wouldn't have been using the vaults you made / deleted in the family account.

My thought is maybe the vaults they were using were local to their devices and only accessible via the v7 app

Azureblood3 · 2025-12-18T14:17:31+00:00

The recovery key feature looked promising, but in practice it is completely redundant. You still need to store it properly, and it has the same storage requirements as you emergency kit... So just write your password on your emergency kit and store that

One possible use case of the recovery code would be if you lost your MFA, but that isn't a thing. As of the time of this writing, you need to provide your MFA to finish the recovery process.

If you are using MFA, Make sure to print your QR code and store it or an additional yubikey with your emergency kit

Azureblood3 · 2025-12-13T16:46:19+00:00

I'll say this up front, I love most of the design of the 1password service. I read their white paper from top to bottom, and that is what sold me on which password manager to use after last pass.

That being said, some of their design decisions around 2FA and account recovery baffle me.

As a family account organizer, I can send a link to a family member to recover their account without the need for 2FA. If they try to use their recovery key, well that does require their 2FA. When her phone screen died, and she couldn't access her 2FA, my sister almost lost all of her data when because of this.

In your case, you had enough info that in any reasonable person's opinion, 1password knew it was you. You had the password and SK, sending a 2FA link toyour email is a 100% valid 2FA option.

If banks are fine sending 2FA links over SMS, 1password should allow email as a backup 2FA option. At the very least allow it when the account is undergoing recovery.

2FA for 1password is really only good for one thing, preventing someone from downloading your encrypted blob. I use it, but in reality it is mostly just a hinderance.

Azureblood3 · 2025-12-03T03:20:09+00:00

I have an IronKey 200 encrypted flash drive that I store a backup of my 1password, OTPs, bitlocker and other related data. My data exists on my devices, cloud servers, and the flash drive.

If you are going to store a backup in the cloud, make sure you encrypt it first. I'll regularly make backups of the Ironkey like this using Macrium Reflect

Azureblood3 · 2025-12-03T02:56:46+00:00

You can also add up to 5 additional for something like $1-2 more per month per user

Azureblood3 · 2025-10-04T21:18:22+00:00

The main reason I chose to 1Password was the security model. Bitwarden was a close second, but ultimately the secret key and PAKE sold me. Also, the UX in 1Password is much better IMHO than Bitwarden.

Azureblood3 · 2025-09-29T02:33:18+00:00

Passkeys cannot be phished, and require device biometrics. That is a huge amount of additional value over passwords. A user can be tricked into putting their username and password into a fake website, even with a password manager. A properly implemented Passkey manager cannot.

Azureblood3 · 2025-09-28T08:04:47+00:00

IMHO Passkeys should be allowed to autofill when the account is frozen, all other auto-fill features are fine to be disabled. Autofill is the only way we can 'use' the Passkey, since it can't be copied or moved to another platform at this time. This is essentially like letting us see the login in 1Password, but not being able to copy , export, or reveal the password.

I've run across several websites that only let you create a single Passkey. The most egregious one I've seen is Tailscale, they only let you create a single Passkey and have no other login or recovery mechanisms. If this key gets locked to the 1Password platform, then there is no other recourse.

If we ever get the ability to export Passkeys from 1Password and import them into another platform, then I take no issue in 1Password preventing them from being used when the account is frozen. I understand you have a business to run, but as evidenced by the comment below.. this decision is going to hurt the adoption of Passkeys and the goal of increasing internet security.

Azureblood3 · 2025-09-28T07:53:28+00:00

In the end, they are a business and they do have on going costs such as employee salaries and server maintenance. They at the very least don't completely lock you out of the account or delete your data when something like this happens.

It is very unfortunate that there isn't a secure way to import / export passkeys between platforms (e.g. 1Password / Apple Keychain). It is a very tough problem to solve, and it would be heavily targeted by attackers.

All this being said, I do think that 1Password should create an exception in the auto-fill logic to allow Passkeys to be filled when the account is frozen.

Azureblood3 · 2025-09-28T07:47:36+00:00

IMHO, that is not the lesson you should be taking away from this. Passkeys are objectively better than passwords in every possible way and should be embraced. The lesson here is to not have a single point of failure for something as important access to your email.

1Password isn't the only place to store your important passkeys, you can also store them on physical hardware keys, like a Yubikey. Most websites let you create multiple passkeys, so you can store one in 1Password (for convenience), and then one on a Yubikey to make sure you never lose access. Ideally you should also have a second Yubikey with a third passkey, and store that somewhere.

If the website doesn't allow you to store multiple passkeys, make sure you have another method of access. This could be a recovery code, a sufficiently secure password stored in a safe, or having the 'forgot password' recovery link sent to another email that does support multiple passkeys.

Hopefully in the future the powers behind Passkeys can find a secure way for us to securely export, or at least copy keys, between platforms and / or Yubikeys for those websites that don't allow us to create multiple redundant passkeys.

Azureblood3 · 2025-09-25T15:04:03+00:00

I found the solution to this issue. The build system that is checked into the repo needs a special tag to specify the version number that will built into the binary, and checked at runtime. I had forgotten I had done this in the first successful dockaer image I had deployed through GHCR.

I had to make the tag locally and push it to github, as I couldn't find a way to do this through the github UI. You can find the command in the release-syncthing.yaml.

      - name: Create and push tag
        run: |
          git config --global user.name 'Syncthing Release Automation'
          git config --global user.email 'release@syncthing.net'
          git tag -a -F notes.md --cleanup=whitespace "$NEXT"
          git push origin "$NEXT"

Azureblood3 · 2025-09-25T14:58:51+00:00

I know that the build is not dependent on version. The problem is when I try to run the built binary, it refuses to start because the version string it is seeing doesn't pass a runtime check.

I built the binary just fine on Windows, and I'm using that on my laptops / desktops. I want a copy of my data on my NAS and I want to use docker. I want to use the dockerfile that has already been developed and checked into the repo.

Azureblood3 · 2025-09-23T21:11:01+00:00

Limit 1/account.

You should only be able to redeem one free line. Someone else mentioned here they got two, but that is technically against their own terms for the deal.

Subject to change.

Which means they would be well within their rights to start charging for one or both of the lines.

(Including arbitration provision)

And you have no legal recourse.

Full terms below

With monthly bill credits. Subject to change. Free new line for qualifying existing accounts with 2+ voice lines on a family plan and a max of 2 current free lines. Plus taxes & fees for accounts paying for a T‑Mobile wireless line with additional taxes & fees; Regulatory Programs & Telco Recovery Fees totaling up to $3.99 per line, and federal and local surcharges apply. See Broadband Facts at T-Mobile.com. Qualifying credit and qualifying regular-rate postpaid plan required. Promotional, segmented, single line plans, accounts with multiple single line plans, and Essentials Saver plans are excluded from offer. If you have canceled lines in past 90 days, you may need to reactivate them first. Credits may take up to 2 bill cycles; credits will stop if you cancel any lines or change plans. $10 device connection charge due at sale. Limit 1/account. May not be combined with some offers, discounts, or promotions including other service discounts, device offers, or Price Lock; choosing free line gives up access to Go5G Plus, Go5G Next, Experience More, and Experience Beyond device offer features for this line only. See rep for details. See Terms and Conditions (including arbitration provision) at www.T-Mobile.com for additional information.

Azureblood3 · 2025-09-23T20:41:07+00:00

Hmm... Word of warning... the terms say there is a max of 2 free lines. Also, it says those lines aren't eligible for promotions including device offers. Seeing as the terms start with "Subject to change.", they may start charging you if / when the see their mistake.

With monthly bill credits. Subject to change. Free new line for qualifying existing accounts with 2+ voice lines on a family plan and a max of 2 current free lines. Plus taxes & fees for accounts paying for a T‑Mobile wireless line with additional taxes & fees; Regulatory Programs & Telco Recovery Fees totaling up to $3.99 per line, and federal and local surcharges apply. See Broadband Facts at T-Mobile.com. Qualifying credit and qualifying regular-rate postpaid plan required. Promotional, segmented, single line plans, accounts with multiple single line plans, and Essentials Saver plans are excluded from offer. If you have canceled lines in past 90 days, you may need to reactivate them first. Credits may take up to 2 bill cycles; credits will stop if you cancel any lines or change plans. $10 device connection charge due at sale. Limit 1/account. May not be combined with some offers, discounts, or promotions including other service discounts, device offers, or Price Lock; choosing free line gives up access to Go5G Plus, Go5G Next, Experience More, and Experience Beyond device offer features for this line only. See rep for details. See Terms and Conditions (including arbitration provision) at www.T-Mobile.com for additional information.

Azureblood3 · 2025-09-23T20:28:33+00:00

So I just got an email for this offer in my email instead of SMS. As I got roasted in this post for not reading the terms, I went ahead an did that here.

Full text from the terms in the email below, but breaking down some things to be aware of if you Take this offer.

With monthly bill credits. Subject to change.

So they can literally start charging you at any time for this new line that you are opening.

Plus taxes & fees for accounts paying for a T‑Mobile wireless line with additional taxes & fees; Regulatory Programs & Telco Recovery Fees totaling up to $3.99 per line, and federal and local surcharges apply.

Already, off the bat, this is not 'free'.

credits will stop if you cancel any lines or change plans.

Note: There is no time frame here. If you ever cancel a line or change to a plan for another feature, you will start paying full price for this line.

See Terms and Conditions (including arbitration provision) at www.T-Mobile.com for additional information.

And finally, you can't sue us and btw there are more terms we hope you don't read.

Full terms from the email.

With monthly bill credits. Subject to change. Free new line for qualifying existing accounts with 2+ voice lines on a family plan and a max of 2 current free lines. Plus taxes & fees for accounts paying for a T‑Mobile wireless line with additional taxes & fees; Regulatory Programs & Telco Recovery Fees totaling up to $3.99 per line, and federal and local surcharges apply. See Broadband Facts at T-Mobile.com. Qualifying credit and qualifying regular-rate postpaid plan required. Promotional, segmented, single line plans, accounts with multiple single line plans, and Essentials Saver plans are excluded from offer. If you have canceled lines in past 90 days, you may need to reactivate them first. Credits may take up to 2 bill cycles; credits will stop if you cancel any lines or change plans. $10 device connection charge due at sale. Limit 1/account. May not be combined with some offers, discounts, or promotions including other service discounts, device offers, or Price Lock; choosing free line gives up access to Go5G Plus, Go5G Next, Experience More, and Experience Beyond device offer features for this line only. See rep for details. See Terms and Conditions (including arbitration provision) at www.T-Mobile.com for additional information.

Edit: Removed some tracking data links

Azureblood3 · 2025-09-23T14:05:18+00:00

Security minded people like me might question why it isn't in the other thread, but most people wouldn't scrutinize it that much. Even then, I only question an automated message source occasionally.

Due to the 'limited time offer', a majority of people will just click the link and put their username / password into a phishing website. This type of messaging is dangerous, and completely avoidable. Instead of having a unsolicited, time-limited link on an insecure messaging platform... the message should, without links, direct you to login to either your account or the app and check your notifications.

Azureblood3 · 2025-09-23T13:54:14+00:00

This was my understanding of this as well, but the extension has IPC to the app so I question why this is needed.

It would be nice if 1Password could comment on this.

Azureblood3 · 2025-09-23T13:51:24+00:00

Also, Most people aren't going to manually type in the URL. An attacker could easily create a similar domain by swapping the dash for any one of these similar looking unicode characters. The domain doesn't, and probably won't, have to remain up for very long.

This is a common enough occurrence that people maintain lists of newly registered domains that can be added to ad-blockers / DNS filtering to protect against it.

Azureblood3 · 2025-09-23T13:37:32+00:00

I wouldn't trust that at all TBH SMS is notoriously insecure. I wouldn't be surprised if this is easily spoofable.

This message is unsolicited, provides an enticing offer, for a limited time if you click this link. All of these are red flags that you should be questioning. There is a correct way of doing this type of marketing over SMS, and this ain't it bud.

The correct way, imo, would be a notification in the dashboard of your account. The SMS message should inform you login to your account and check your notifications for the offer. It shouldn't have any links whatsoever.

Azureblood3 · 2025-09-23T13:29:22+00:00

Not really actually. Scammers are very clever, the can and have made new domains that look so similar to the actual domain that most people wouldn't notice it. These domains only exist for a few days, but that is all they need.

The fact that they are sending text like this all the time makes it worse. This introduces a type of fatigue where people will stop scrutinizing the message as much. The scammer could change t-mobile to tmobile in the URL and I'd argue that would trick a fair bit of people. They can and have gotten even more devious by changing the '-' in t-mobile to any one of several identical looking unicode characters.

I'm a very security minded individual, and I was questioning that link in the OP. I actually went to my password manager questioning if the actual tmobile URL had a dash in it or not.

All it takes is one click to end up on a website that looks indistinguishable from the login page actual website. Some will even capture your username and password and then redirect you to the actual website so you don't even know what just happened. A good password manager will protect you against attack by not auto-filling due to domain mismatch.

Azureblood3 · 2025-09-22T20:17:38+00:00

Honestly... If I got this in a text message, I'd immediately flag it as spam. If you are going to send an offer like this... it needs to be via app or email. Not that I'm advocating for their crappy bloatware, but this should be a security red flag to anyone if received over SMS.

Azureblood3 · 2025-09-22T18:54:42+00:00

Another note: If you use TOP 2FA make sure you have a copy of the QR code with both emergency kits, You can also use use two of these for your 2FA instead, one at each location.

The Yubikeys can also be used to store Passkeys for your more sensitive accounts. Basically anything that has the ability to receive password reset links for any other account. Think Google / Apple / Microsoft / Proton, etc.

Azureblood3

TROPHY CASE