Passkey as security key doesn't work on Vanguard

tvandinter
tvandinter
Community Member

This is probably more a Vanguard problem than a 1Password problem but it's unclear to me and a search here didn't bring up an earlier post.

TL;DR: using 1PW passkey as a security key on Vanguard (vanguard.com) causes logins to fail 100% of the time with "We're experiencing technical issues". Logins work fine with physical security key after disabling 1PW/1PW key.

I have 3 physical security keys registered with Vanguard (vanguard.com) and logging in with them works fine. I added a 1Password passkey as an extra security key on all sites which has worked fine on every other site. I added the 1PW key to Vanguard which added fine. However, when I try to login the site triggers the 1Password key and then the login fails with the above message, 100% of the time.

I verified the problem by disabling 1PW in main window and logging in w/ physical key. I then opened an Incognito window and tried logging in w/ 1PW key and it failed. In main window I deleted the 1PW key from the site, then tried Incognito again and it worked w/ physical key. In main window I re-enabled 1PW, deleted key from 1PW login, and added key again to the site. Incognito failed again.


1Password Version: 81008024 (beta)
Extension Version: 21200003 (beta)
OS Version: MacOS 12.6.6
Browser:_ Chrome 114.0.5735.133

Comments

  • joshrsmith
    joshrsmith
    Community Member

    I have the same experience!
    I am using Windows 10.

    In Firefox it will briefly show the screen asking me to present the passkey/token, the 1Password extension pop up appears, but then it quickly goes to the "We're experience technical issues" screen, as you described.

    In Edge it will prompt for my pin code (I have Windows Hello enabled), and then it will just sit on the screen waiting for the passkey to be presented.

  • Joy_1P
    Joy_1P
    1Password Alumni

    Hey @tvandinter, it sounds like Vanguard supports 2fa with a security key. However, using a passkey in that capacity will not work. A passkey isn't a second factor, and it appears that's causing an issue on Vanguard's website.

    I'm unable to create an account on Vanguard's website to test this. That said, I do recommend taking a closer look at the security key option on Vanguard's website to see if they list examples of what they accept. Additionally, if you want to do some testing, you can save a passkey for your Vanguard account in Chrome or with iCloud keychain. You can try signing in, and if you run into the same troubles, then it confirms that Vanguard does not yet support passkeys.

    To store a passkey for Vanguard in Chrome, please see this guide: https://support.google.com/chrome/answer/13168025

    To store a passkey for Vanguard in iCloud keychain, please see this guide: https://support.apple.com/guide/iphone/passkeys-passwords-devices-iph82d6721b2/ios

    Let us know what happens if you test that. Thanks for your time.

  • Joy_1P
    Joy_1P
    1Password Alumni

    Hey @joshrsmith it's likely that Vanguard does not yet support passkeys. However, since their website doesn't any info on it, I recommend either 1) calling their support team and confirming 2) testing by saving a passkey in Chrome or iCloud keychain to see if the same issue occurs.

    As passkeys are quite new, it may take some time for companies and institutions to adopt the technology. We encourage you to let these companies and institutions know about your interest in it. Hopefully, with feedback and requests from customers, there will be positive changes sooner rather than later.

  • tvandinter
    tvandinter
    Community Member

    Hi @Joy_1P , yes, Vanguard is security key 2FA and not passkey.

    "using a passkey in that capacity will not work"

    Hrm. Since the OP I have upgraded OS (Mac OS 12.6.7), 1PW (81008042), and 1PW extension (21200201) and it seems like some behavior has changed?

    Every site I use that uses security key 2FA will register a 1PW passkey as a security key.
    Since you brought up Chrome passkeys, only some sites will trigger Chrome passkey for registration as security key. (Vanguard does not trigger Chrome for passkey.)

    I swear that in 21200003 when I set up a 1PW passkey as 2FA on the various sites, I went ahead and tested that I was able to authenticate 2FA. Maybe I stopped testing after the first couple since I would have found the Vanguard behavior at that point.

    With 21200201 I can still authenticate 2FA to Dropbox and Github using 1PW passkey. Ditto for Chrome passkeys.
    Vanguard brings up 1PW but it fails as in OP.
    All other sites now do not trigger 1PW for 2FA authentication.
    I can still add the passkey as 2FA on all sites.

    I'm not sure what to say here. If the expectation is that a 1PW passkey (or passkeys in general) are not supposed to work as security key 2FA, then 1PW (and Chrome, etc) really should not respond to the security key registration on sites. I don't know enough about the protocol to know if this is possible, though Chrome seems to respond to 2FA registrations at fewer sites than 1PW so this must be possible to some degree. At least put some all-capitals text explaining this when 1PW asks which login to put the passkey in so we can see it and hit cancel.

    Unfortunately the more I test sites w/ 1PW and Chrome the less consistent I find the behavior to the point where I've given up.

    fwiw, I can't find much on the Vanguard site regarding what their requirements are. "Be sure to choose a key that is FIDO2 certified." They also include Android and iOS devices.

    also fwiw, on all these sites (which support >1 security key) I have my Pixel 7 Pro registered for 2FA which works fine. Android seems to have rebranded their security key support as passkey, so that pops up when using it, just to muddle the situation.

    also also fwiw, ebay seems to support passkeys not by name but as "Face/fingerprint/PIN sign in" which then still does SMS 2FA, and then they separately have "Security key sign in" which is super confusing. BestBuy supports passkeys by name but also does TOTP when logging in. 🤯

  • joshrsmith
    joshrsmith
    Community Member

    Not sure I can add much to this discussion, but here is what it says on the vanguard site:

    Here’s what you need:
    A FIDO2 compatible security key

    Make sure the key you choose meets the FIDO2 certification standard for secure authentication. Consult the manufacturer of your key if you have any compatibility questions. Note: If you're using Google Chrome or Microsoft Edge, you will also have the option to use your Android phone (version 7 and up) as your key.

    Security code service

    This is your backup if you lose, misplace, or forget your key. When you register your key, your frequency settings will automatically be set to: "Every time I log in".

    A browser that supports FIDO2

    Compatible browsers include Chrome, Firefox, Safari (version 13 or newer), or Microsoft Edge.

    The odd thing is that it allowed me to complete enrollment with 1password, but then subsequent logins don't work...

This discussion has been closed.