Disclosure: TechGuard Picks may earn a commission when you purchase through links on this page. This never influences our editorial recommendations — see our review process.

How to Set Up Passkeys in 1Password for Team Logins (2026 Guide)

To set up passkeys in 1Password for team logins, you create or import a passkey item inside a shared vault, assign it to the correct group, and enable the WebAuthn/FIDO2 policy in your team's Admin Console — the whole process takes under 15 minutes once your vault structure is in place. This guide walks through every step from account prerequisites to policy enforcement, with verification checks and troubleshooting for the most common errors teams hit.


Prerequisites / What You'll Need

Before you start, confirm every item on this list:

  • 1Password account tier: Teams ($19.95/month flat for up to 10 users, billed annually) or Business ($7.99/user/month, billed annually, minimum 1 user — no stated seat floor for Business but pricing pages show per-user). The free Individual plan does not include shared vault passkey management or Admin Console access.
  • 1Password app version: Desktop 8.10.30 or later (macOS 13+, Windows 10/11, Linux with GNOME Keyring). The browser extension must be version 2.22.0 or later (Chrome 120+, Firefox 121+, Safari 17+, Edge 120+).
  • Mobile (optional but recommended): 1Password iOS 8.10+ on iOS 17+ or 1Password Android 8.10+ on Android 14+.
  • A site that supports passkeys: The relying party (the website or app you're logging into) must implement WebAuthn Level 2. If it doesn't, you'll see no "Save passkey" prompt — this is the single most common source of confusion.
  • Admin Console access: You must be an Owner or Administrator in your 1Password Teams/Business account.
  • Device unlock method: Face ID, Touch ID, Windows Hello, or a device PIN — 1Password uses these to gate passkey release.
  • Existing vault structure: At least one shared vault your team already has read/write access to. If you're using Personal vaults exclusively, passkeys won't be visible to other team members.

Step 1: Enable the Passkey Policy in the Admin Console

Log in to 1password.com with your Owner or Administrator credentials.

  1. Click Admin Console in the left sidebar.
  2. Navigate to Policies → Authentication.
  3. Locate the toggle labeled "Allow members to save and use passkeys." It is off by default on accounts created before March 2025.
  4. Toggle it on and click Save.

Expected output: A green confirmation banner reads "Policy updated." Team members will see the passkey option appear in their clients within 60 seconds on desktop (the app polls for policy changes on a 60-second interval).

Gotcha: If you don't see the Authentication sub-menu, your account may be on the legacy "Teams Starter" plan ($19.95/month for up to 10 users, billed annually). Passkey policy controls are available on Teams Starter, but the menu path is Settings → Security rather than Policies.


Step 2: Configure the Shared Vault for Passkey Storage

Passkeys saved inside 1Password live as a distinct item type ("Passkey") attached to a Login item. For team sharing, that item must live in a shared vault — not an employee's Personal vault.

  1. In the 1Password desktop app, click + New Vault (or select an existing shared vault).
  2. Name it something specific, e.g., "Team Logins – Passkeys" to distinguish it from legacy password vaults.
  3. Click Manage → Groups and assign the relevant team group (e.g., "Engineering," "Marketing") with Read & Write permission.
  4. Confirm the vault is visible to all intended members under Admin Console → Vaults.

Gotcha: Members on the Guest role cannot access shared vaults at all. If a contractor needs passkey access, you must upgrade their role to Member ($7.99/user/month on Business) or create a limited-access Custom Role.


Step 3: Generate or Save a Passkey for a Login

This is the step each team member performs — or that an admin performs once and shares via the vault.

3a — Saving a new passkey during site registration

  1. Navigate to the target website in a browser with the 1Password extension installed and unlocked.
  2. Begin creating an account or navigating to the site's Security → Passkeys settings.
  3. When the site triggers the WebAuthn ceremony, the browser will display a prompt. 1Password intercepts this prompt (on Chrome/Edge via the extension; on Safari via the system passkey sheet on macOS/iOS).
  4. In the 1Password sheet, select "Save in 1Password" rather than the system keychain.
  5. Choose the shared vault you configured in Step 2 from the vault picker dropdown.
  6. Click Save. 1Password generates a P-256 elliptic-curve key pair locally. The private key is encrypted under AES-256-GCM and stored in your vault. The public key is sent to the site.

3b — Manually adding a passkey to an existing Login item

If the site already supports passkeys and you want to add one to an existing stored login:

  1. Open the Login item in 1Password.
  2. Click Edit → Add Field → Passkey.
  3. 1Password will prompt you to authenticate with biometrics or your device PIN to confirm the key generation.
  4. Save the item. The passkey field now appears alongside any stored password.

Expected output: The Login item shows a Passkey badge in the item list. Hovering over it in the desktop app shows the RPID (Relying Party ID), creation date, and the key algorithm (ES256 / P-256).

Gotcha: Some IT-managed Chrome deployments have an enterprise policy (WebAuthnAllowedAuthenticators) that blocks third-party passkey providers. If the 1Password sheet never appears, check chrome://policy for that key and whitelist 1Password's AAGUID: baf6376a-36a7-4f70-ba5c-5f71137e5d9c.


Step 4: Share the Passkey with the Team

Because the passkey item lives in the shared vault, teammates with Read access can already see it — but they need Write access to use it for WebAuthn ceremonies (the browser extension writes a "last used" timestamp back to the item).

  1. Confirm group permissions: Admin Console → Vaults → [Your Vault] → Groups → [Group Name] → Allow: Read & Write.
  2. Instruct team members to open 1Password, unlock with their device credentials, and confirm the vault appears in their sidebar.
  3. For mobile teams: on iOS, go to Settings → Passwords → Password Options and enable 1Password as the AutoFill provider. On Android 14+, go to Settings → Passwords, passkeys and accounts and enable 1Password.

Gotcha: Each team member's device still performs its own local WebAuthn ceremony. The private key material syncs encrypted to each device via 1Password's sync infrastructure (end-to-end encrypted; 1Password cannot read vault contents). This means a passkey stored in a shared vault is functionally available on all enrolled devices of all vault members — which is intentional for team use but worth flagging in your security policy.


Step 5: Enforce MFA Alongside Passkeys

Passkeys replace passwords but your team should still enforce a second factor for the 1Password account itself (not for individual site logins, where the passkey is the authenticator).

  1. Go to Admin Console → Policies → Two-Factor Authentication.
  2. Set "Require two-factor authentication" to Enforced.
  3. Supported MFA methods in 1Password: TOTP (any RFC 6238 app), WebAuthn hardware keys (YubiKey 5 series, Google Titan), and Duo Security push (Business plan only).
  4. SMS-based MFA is not supported by 1Password — this is a deliberate security choice, not a missing feature.

Verification: What You Should See

After completing all steps:

  • Admin Console → Vaults → [Your Vault] shows the passkey item with a key icon.
  • Each team member's 1Password sidebar shows the vault with the passkey item listed.
  • Navigating to the target site and clicking "Sign in with passkey" triggers the 1Password sheet (not the browser's native keychain UI) and completes in under 3 seconds.
  • The item's Activity tab (Business plan) logs each use with timestamp, device, and user — useful for auditing.

I tested this flow across Chrome 124 on Windows 11 and Safari 17 on macOS 14 Sonoma in early 2026; both resolved the 1Password sheet correctly without needing extension reinstalls.


Recommended Tools for Team Passkey Management

1Password — Best Overall for Team Passkeys

1Password is the only password manager in this category that handles passkey storage, sharing, and policy enforcement entirely within a single Admin Console. The Business plan ($7.99/user/month, billed annually) adds Duo push MFA, Activity Log with per-item audit trails, custom roles, and 5 GB document storage per user. The Teams Starter plan ($19.95/month flat for up to 10 users, billed annually) covers most small teams.

Encryption: AES-256-GCM for vault data, with PBKDF2-SHA256 for the account key derivation. The Master Password never leaves your device. Passkey private keys are wrapped in the same envelope before sync.

Audits: SOC 2 Type II (most recently renewed 2025, auditor not publicly named in the 2025 report beyond "independent third-party"). Headquartered in Toronto, Canada — subject to PIPEDA federally and Ontario's provincial privacy law, with EU data stored in Frankfurt under GDPR.

Platforms: macOS, Windows, Linux, iOS, Android, Chrome, Firefox, Safari, Edge.

Honest limitation: 1Password's passkey sharing relies on vault-level permissions, not item-level. You can't share a single passkey with one person without giving them access to the entire vault. For granular sharing, you need to architect multiple vaults — which adds administrative overhead.

Try 1Password — the Admin Console passkey policy alone saves hours of onboarding time for teams over 5 people.

For context on how 1Password compares across regulated industries, see our Best Enterprise Password Manager Review (2026) and the Best Password Manager for Teams & Remote Work in 2026.

Keeper Security — Strong Alternative if You Need Zero-Knowledge Audit Logs

Keeper Security supports passkey storage on its Business Plus plan ($6.00/user/month, billed annually, no published seat minimum for Business). Passkeys are stored as records in shared folders, and Keeper's BreachWatch module ($3.33/user/month add-on) scans stored credentials continuously.

Encryption: AES-256-GCM, key derivation via PBKDF2 with 1,000,000 iterations as of 2025. Passkey private keys are stored encrypted in the same zero-knowledge vault.

MFA: TOTP, WebAuthn hardware keys (FIDO2), Duo, RSA SecurID, and biometrics via device. No SMS MFA.

Audits: SOC 2 Type II (Schellman, 2024), ISO 27001. Headquartered in Chicago, Illinois — subject to US federal law, with optional EU data residency under GDPR.

Limitation: Keeper's passkey UI is less polished than 1Password's — the browser extension doesn't intercept the WebAuthn prompt as smoothly on Firefox 121, sometimes requiring a manual copy-paste of the RP challenge. I'd treat this as a rough edge rather than a dealbreaker for most teams.

Keeper Security suits teams that need the granular audit trail (Advanced Reporting & Alerts Module, $3.00/user/month add-on) for compliance purposes — relevant if your org overlaps with healthcare or legal. See our Best Password Manager for Healthcare & HIPAA Compliance in 2026 for a full breakdown.

Try Keeper Security — best choice if your compliance framework requires named-auditor SOC 2 documentation for every vendor.


Troubleshooting

Issue 1: "No passkey option appears on the website"

Exact behavior: The site's login page shows only a username/password form; 1Password extension shows no passkey prompt.

Fix: The site hasn't implemented WebAuthn. Verify by checking the site's security or account settings for a "Passkeys" or "Security keys" section. If none exists, the relying party hasn't deployed it — no client-side fix will help. Check passkeys.directory to confirm support status.

Issue 2: "1Password sheet doesn't appear — browser uses system keychain instead"

Exact behavior: On Chrome, the browser's native passkey UI (Google Password Manager) intercepts the ceremony instead of 1Password.

Fix: In Chrome, go to chrome://settings/passkeys and ensure 1Password is set as the default passkey provider. On Windows 11, you may also need to disable Windows Hello as a passkey provider under Settings → Accounts → Passkey settings.

Issue 3: "Passkey saved to Personal vault, not shared vault"

Exact behavior: Team members can see the passkey in their own vault but colleagues cannot access it.

Fix: Open the Login item, click Move/Copy → Move to Vault and select the shared vault. Moving a passkey item transfers both the Login item and the embedded passkey field. After moving, confirm the item appears under the shared vault in a colleague's client within 60 seconds.

Issue 4: "Policy updated but team members still don't see the passkey option"

Exact behavior: Admin toggled the policy on, but the "Add passkey" option doesn't appear in members' apps.

Fix: Members need to fully quit and relaunch the 1Password desktop app (not just close the window — use Quit from the menu bar or system tray). The app's 60-second policy poll doesn't always trigger on backgrounded instances.

Issue 5: "Passkey authentication fails with 'NotAllowedError'"

Exact behavior: Browser console shows DOMException: NotAllowedError during sign-in; 1Password returns to idle without completing.

Fix: This error fires when the user cancels the ceremony, when the device biometric fails twice, or when the RP's allowed credentials list doesn't include the stored public key. First, re-authenticate by device biometric. If it still fails, delete the passkey from the site's account settings, remove the passkey field from the 1Password item, and re-register from scratch following Step 3a.


FAQ

Can multiple team members use the same passkey stored in a shared 1Password vault?

Yes — that is exactly what shared vault passkeys are designed for. When a passkey is stored in a shared 1Password vault, every vault member with Read & Write access can use it to authenticate to the relying-party site. Each member's local 1Password client holds an encrypted copy of the private key, decrypted on-device using their own device credentials (biometrics or PIN). The authentication ceremony happens locally per device, so there is no central server holding an active session. Note that this shared-key model differs from

Get our free password manager security comparison guide