Passkey Demo - duplicate entries and lacking details.

robert1p
robert1p
Community Member
edited April 2023 in 1Password in the Browser

I'm confused by the passkey demo (https://www.future.1password.com/passkeys/).

  • I enter a username, and it creates a Login Item in 1pw; no problem. I select Switch Account, enter a new username, and it creates a new Login Item in 1pw; no problem. I now attempt to login by selecting the first Login Item and it creates yet another Login Item (which appears to be a duplicate of the first Login Item); i.e. I now have 3 Login Items stored in 1pw. I assume this is a defect with the Demo.

  • It's also confusing that for each of the three Login Items, all the PassKeys appear to be identical; i.e. there are no details to indicate they differ in any way. While a simplistic interface is nice, I personally would like to see some way to view the underlying details of my PassKeys. For example, given the defect above, I can't tell if the duplicate Login Items have the same PassKey or different ones. (While "Show" PassKeys details would be preferable, "Show" PassKey Hash would be an improvement until then.)


1Password Version: Not Provided
Extension Version: Not Provided
OS Version: Not Provided
Browser:_ Not Provided

Comments

  • paul.m_1p
    paul.m_1p
    1Password Alumni
    edited April 2023

    Hey @robert1p thanks for contacting us here 🙂

    It's great to hear you're excited about passkeys - we are too! And thanks for giving our little demo a run through. The demo site 'PassParcel' is a fake service, and the account data created though that demo is cleared out automatically. The main idea of this is to demonstrate the ease of A) Signing up for a new website and having the passkey stored in 1Password and B) What the flow looks like of signing in to the site with a passkey stored in 1Password.

    With this being an early look at the passkey implementation with 1Password, the official release in the future will likely have some changes and improvements. Thanks again for your support of 1Password, and we look forward to sharing more details about passkeys in the near future. Let us know if you have any questions and we'll be happy to help!

  • robert1p
    robert1p
    Community Member

    Will the official release allow us to "Show" the PassKey details?

  • paul.m_1p
    paul.m_1p
    1Password Alumni

    @robert1p - Thanks for the follow up. To ensure we're maintaining and respecting additional security measures that passkeys benefit from, the details we would be able to display would be things like username, a timestamp, a website url, and any custom user changes to the login item (such as changing the item name, any notes, custom fields, etc.). Our goal will be to make passkeys as usable and flexible as passwords, while at the same time, increasing security by not exposing the underlying credentials in plain text format, in the way that normal passwords are.

    Let me know if I can assist further, and be sure to keep an eye out in the near future for passkey related updates on our blog.

  • robert1p
    robert1p
    Community Member

    I understand what you are saying; however, I prefer more transparency with regards to security. I expect that we will be able to Export our PassKeys, where we can see the details in plain text. Thus, the product is simply making it a more painful path for us to view the PassKey details.

  • paul.m_1p
    paul.m_1p
    1Password Alumni

    @robert1p - Appreciate the engagement 🙂

    At this time, I don't have any details to share on the potential of exporting, but I'd be happy to pass your insight forward to the team as we work to make passkey use easier and more accessible.

    If you don't mind, I have a couple follow up questions:

    • In what way would being able to see the passkey details in plain text give you more confidence, when considering security, or otherwise?
      • And in what way would this ability help improve your workflow (if any)?
  • robert1p
    robert1p
    Community Member
    • I guess I want to review the details of my PassKeys, so I know what information is stored and know what values are used (i.e. names, ids, algorithms, params, key pairs, etc). This would help me understand the implementation negotiated between the 1password app and the site. And when researchers find issues, I can determine whether my most secure accounts are at risk. (With your current demo, all PassKeys look identical; we wouldn’t even be able to tell that each site has a different PassKey; they are essentially treated as magic entries.)
    • Also, when I request a replacement PassKey, I want to verify the key pair actually changed; (i.e. when I feel the need to request a replacement, I want to be able to see that it did indeed change).

    If there is a reluctance in displaying the details, I’d like to understand the reasoning.

    As far as the Export function, 1password already supports it. I can't imagine the implementation would include everything but our PassKeys.

  • Hey @robert1p,

    I'm sorry for the delay in getting back to you.

    As passkeys are a tokenised authentication format, the details we will be able to surface would be a username, a timestamp, a url and anything else you might add to that login item. It’s intentional, and really important to the security of passkeys, that you cannot view the underlying credential in an app like 1Password. Otherwise passkeys would be phishable the same way passwords are. The goal is to make passkeys as usable and flexible as passwords without ever exposing those details.

    I hope this helps to clear things up for you, let us know if you have any questions.

  • robert1p
    robert1p
    Community Member
    edited April 2023

    I thought we were past the days of security through obscurity. Though, I do see how a user might be tricked into exposing their private key. But, other than the private key, is there any reason the rest of the details could not be exposed? e.g. negotiated algorithm, params, etc. Certainly the public key is meant to be exposed.

    If the private key must be obscured, it could at least be exposed as a hash of the value? e.g. titled "Hash of Private Key"

    And again, I expect that we will be able to Export/Import all the details in clear text. "Your data is yours." https://support.1password.com/1pux-format/ This would still be prone to phishing.

    Maybe a pop-up that warns and educates the user would be useful (when the attempting certain functions).

    Thanks for you patience. I look forward to seeing the final implementation.

This discussion has been closed.