My passkey experience: so far a failure

VessV

Since all the passkey buzz started I'd been somewhat keeping track and learning about it with moderate enthusiasm; and when today I saw that it's implemented in the full public 1PW release, I thought I'd give it a try, on some accounts I don't really care about.

First was Home Depot. I logged in and selected the passwordless login option, and after verifying me with an email OTP, it gave me the FaceID and fingerprint options of my Windows laptop. Since 1) my laptop has neither of these devices, and 2) I want this saved into my 1PW cloud service and not my laptop, I cancelled out of it and there was no other option, and I was left confused. After doublechecking that Home Depot was in fact on the list of supported websites, and my 1PW browser extension specifically told me it's available, I thought I'd try it again, and click on the "FaceID or fingerprint" option just to see what happens. And from that, the 1PW extension registered the attempt, let me create the passkey and saved it beautifully. So it seems like in order to work, 1PW spoofed the website into thinking it's being unlocked by my laptop's biometrics, and possibly managed by Windows(?). Fine, whatever. I log out, log back in with the passkey, everything great after the previous one-time annoyance.

Next, after creating it, time to try it on another device: my Android phone. I open 1PW and see the passkey ("created on xxxx") is there, so the syncing worked immediately. I log into Home Depot where it again verifies me with an email OTP, never asks me for the passkey prompt. I thought, maybe that'll come later. I go to the login options, and when I click on "FaceID and fingerprint," it never interacts with 1PW or the stored passkey on it, and only tries to create a NEW passkey and store it in the Google cloud (I get a half-screen height dialog starting with "Use screen lock for encryption?") Again, I don't want anything other than 1PW involved in this, so I don't proceed.

Third device, my iPad. Same thing. Synced beautifully, but same experience logging in (via email OTP) and the only passkey related option is to create another new one and manage it with Apple. Unlike my phone, I go ahead with it just to see what happens. It creates successfully, I log out, log in fine with it. But it's not the one stored in 1PW, it's a separate thing... just what I was trying to avoid. (On top of that, I have no idea where it's stored or managed. Settings > [name] > iCloud > Keychain shows "Off." Settings > TouchID & Passcode has nothing relevant. Settings > Passwords shows nothing, and within that, AutoFill Passwords has Keychain turned off and 1Password turned on. As expected, but does not explain how I logged into Home Depot. I'm glad I'm not vested into the "Apple ecosystem," because if I was, I would have no idea how to do something like delete this passkey, or sync it onto another device, or back it up, or anything. What a mess! At least it's not interfering with the other passkey that IS stored in 1PW, since I can still log out and log in from my laptop, using it, successfully.

Let's try another account, CVS. This one mandates I turn on "Windows Hello." I don't want to do this, (because, again, I want 1PW to be in charge of it) but I decide to do it anyway just for experimentation, to see if 1PW will spoof the website into handling it, like it did Home Depot. Go into Windows settings, Face ID won't turn on since the camera is old and incompatible with it, and a fingerprint scanner does not exist. There's also a PIN option and I try that, but it doesn't work and CVS won't recognize Windows Hello as being turned on. So this one's a failure right out of the gate.

Let's try a third account, Kayak. Windows laptop, create passkey and logout and log in fine. Try to get on my iPad, it sends a verification email link that sends me into a loop where I can only keep doing verification emails. Forget this!

Summary: out of 3 websites, 2 successes in creating and using passkeys on one device, and zero successes in syncing across devices. Instead, it's a morass of competing cloud management services hijacking the process and creating duplicates. I realize some or all of this may the the fault of the respective websites and not 1PW since everything has to work properly together... but this is my experience so far, I'm glad I only tried it on basically throwaway accounts, and I'll be sticking with passwords for the time being.

OS Version: Not Provided
Browser: Not Provided

Tertius3

I have a similar bad experience, and I decided to ignore passkeys for the next year or two, to spare me constant trouble and frustration in trying to make it work but fail for one reason or the other. I will look again how it works out then.

As far as I see it, it's at the edge of being not universal and useful enough to get widespread use for the ordinary user, similar to as it is with hardware keys. Not as tedious as hardware keys, but still not comfortable enough to prefer it over userid+password. Still too much hassle around it, some surprising constraints you never thought of.

They are not the password replacement for every daily login business at some random website. They are currently only a replacement for some important singular websites, where you explicitly choose passkeys instead of passwords. But the bulk of the websites, for example community forums like this, will probably never even consider to offer it.

AG_Travis

@VessV Heyo! I'm the Sr. Product Manager leading Save and sign in with passkeys. Thanks for giving them a try!

Although our passkey authenticator has started going live in several extension stores (Safari, Chrome, and Edge currently), we have not rolled out the experience to any mobile platforms. Furthermore, when we do rollout support for mobile this summer, it will only be available on iOS 17, iPadOS 17 and Android 14. Previous mobile OSs will not be supported at this time.

However, you do seem to be running into some unintended behaviour on Home Depot/CVS. I'm going to get my dev team to look into it to see if those are site specific issues (that's my current assumption) or something we can fix on our end.

Cheers!

VessV

Thanks for the reply!

Well, "not rolled out" would certainly explain why they don't work! By virtue of the passkey showing up visually in the login item, I thought it was supposed to work, and didn't think to check any further on their rollout status. I guess they show up for the sake of completeness of information, i.e., its existence is synced, though not yet functioning? If it was hidden, I suppose it would cause the opposite confusion. Anyway, now I know, but I suspect you'll soon be getting a plethora of users drawing the same conclusion as me. Perhaps the passkeys on not-yet-supported platforms, might warrant being highlighted in a special color and/or a notification explaining this, might be in order?

Also I hope I didn't come across as pooh-pooh-ing the passkey ultimate "vision." I would expect teething problems when first rolled out (and, as it turns out, before being rolled out! oops) and I am enthusiastic for the future where they are the norm, including for all the basic everyday stuff, in a smooth experience.

AG_Travis

@VessV No worries! Really appreciate the feedback.

I also wanted to return to say that we've started rolling out passkey support for iOS/iPadOS 17! You should see an updated for the 1Password app in the App Store now.

Let me know how the cross-platform passkey experience goes for you. They will primarily work within Safari and some iOS 17 apps have started rolling out support today albeit limited.

Cheers!

Goldfinger

@AG_Travis It looks like a fair number of users today are seeing the option but are not on the correct OS Version. Ie Android 14 is not even released yet. So, looking at the support issues, an OS_Version_too_low flag seems appropriate. But well done on getting it out the door on ios!