Disable Passkey support for AutoFill

Smileybarry
Smileybarry
Community Member
edited October 2023 in iOS

I prefer to keep Passkeys in my iCloud Keychain because it's essentially syncing just on my iPhone & iPad, while 1Password has an archive file format, so those keys would essentially be files in the filesystem on my Windows PC.

The problem is that in iOS 17 I have to have both enabled for that. I liked the behavior back in iOS 16, where 1Password didn't declare Passkey support (because there was no API) and iOS auto-picked iCloud. Can that be added as an advanced switch to the app? Or does iOS 17 not allow password managers to declare Passkey support dynamically? (i.e. it's stuck in the manifest and can't be changed)


1Password Version: 8.10.16
Extension Version: Not Provided
OS Version: iOS 17.0.3
Browser: Not Provided

Comments

  • Hello @Smileybarry! 👋

    Thanks for the feedback! 1Password is designed to store all of your passwords and passkeys so that they're available on all of your devices. Can you tell me a little more about why you're storing passwords in 1Password and passkeys in iCloud Keychain?

    It sounds like that would cause confusion, and duplicate items in different managers, as you update logins from using passwords to using passkeys. I look forward to hearing from you.

    -Dave

  • Smileybarry
    Smileybarry
    Community Member

    Yes:

    In general, I keep everything in my 1Password. The sole exceptions are:

    • TOTP for accounts that need “real 2FA”, so I save their TOTP in a separately encrypted authenticator app;
    • Some FIDO2 Security Keys for the same “real 2FA” reason; and
    • Passkeys (except for the same cases where I’d save TOTP in 1Password anyway).

    The reason for saving Passkeys elsewhere is defense-in-depth and ensuring the least credential theft possibility as I can. At work we keep our code signing keys on a hardware token to keep them from being stolen by an attacker. For that same reason, I prefer keeping some of my own keys on hardware or hardware-enforced platforms: Yubikeys, TPMs, etc.

    While I love 1Password, it’s still essentially syncing a file-based archive around and accessing it with a userland application. I completely trust it from a brute-force perspective, but credential theft is another matter. (On a defense-in-depth level) Since websites are giving Passkeys a very high trust level, I’m wary of saving them in software for that reason.

    I know iCloud Keychain means it’s not a “real” hardware key and not unexportable, but it’s at least properly separated on iOS/macOS/iPadOS and secured by each device’s secure element, that I trust it enough.

    TL;DR / To sum up: It’s out of a defense-in-depth and tiering approach, put simply, some accounts are more important than others.

  • @Smileybarry

    Thanks for the reply. I'm not an expert on how iCloud Keychain works but from my understanding the Keychain itself is not stored in the Secure Element:

    The keychain is implemented as a SQLite database, stored on the file system.

    Source: Keychain data protection - Apple Support (CA)

    Malware exists that can steal the Keychain database: New macOS malware steals sensitive info, including a user's entire Keychain database

    Because of 1Password's dual-key architecture, where your data is end-to-end encrypted using both your account password and your Secret Key, 1Password is the most secure place to keep your passkeys and ensure that they're available on all of your devices. You can read more about our security model here: About the 1Password security model

    -Dave

  • Smileybarry
    Smileybarry
    Community Member

    You’re right regarding malware on macOS, but it’s sufficiently separated on iOS platforms, which I currently use with Keychain.

    Additionally, I’m not sure if Keychain may run in a separate UID or guarded by the kernel in some way. (Whereas 1Password runs under the same user account on Windows at normal integrity, ergo elevation is not necessary to access its files)

    But either way — one syncs with my computer, one currently does not (as I don’t own a Mac). So I can have a higher level of trust in it, given that my iOS devices aren’t jailbroken and nothing (save for extreme vulnerabilities) can access Keychain.

  • @Smileybarry

    Thanks for the reply. It's important that your Windows PC is safe to use before you install 1Password since you're correct that 1Password can't protect you if your PC is infected with a malicious process that has access to your system. You can find more details in our Security White paper under the "Malicious processes on your devices" section: 1Password Security Design

    If you're uncertain that your Windows PC is safe to use then I would avoid installing 1Password on that system at all in the first place. Alternatively, you could create a guest account in 1Password that only has access to a single vault with the data that you feel comfortable storing on your Windows PC and only add that guest account to the Windows PC:

    iCloud Keychain, which can be synced to Windows as well, would be subject to the same considerations. Let me know if you have any questions.

    -Dave

  • Smileybarry
    Smileybarry
    Community Member

    Hi again,

    Yes, my computer is safe and secure. What I said regarding integrity level etc. is simply part of defense in depth and planning for unforeseen exploits, same reason why not everything runs at admin level, or Chrome uses process sandoxing at untrusted integrity for renderers.

    Also — iCloud Passwords can sync with Windows, but just the usernames and passwords, and has to be enabled manually.

    I know I’m not the average user — neither in needs nor in security planning from my time in infosec — which is why I suggested this (Passkey support) as an advanced toggle in the first place.

    Would that be possible to add on iOS, and restore iOS 16 behavior?

  • @Smileybarry

    Thanks again for the feedback. While I can't make any promises, I've filed a feature request on your behalf to add an option to turn off 1Password passkeys for AutoFill on iOS. Our product team will look into the request for future versions of 1Password.

    -Dave

    ref: PB-36196082

  • fabiograsso
    fabiograsso
    Community Member

    Hello,
    any news about this topic? I want to use passkeys on my iPhone but I don't want to save them in 1Password. The fact that I'm forced to save them in 1Password is very annoying.

  • @fabiograsso

    Thank you for writing in. Can you tell me a little more about why you'd like to save your passkeys in iCloud Keychain and not 1Password? I would be happy to pass along your use case and request to the team as well.

    -Dave

  • effata
    effata
    Community Member

    @fabiograsso If you go to settings -> passwords -> password options you can select both iCloud and 1Password as options for passwords and passkeys. This will give you the option to save passkeys to iCloud instead if you want, and it's my path forward for the time being.

  • @effata

    Thank you for adding your suggestion. I would also be curious to hear from you about why you save passkeys in iCloud Keychain and passwords in 1Password, why not just keep everything in one place protected by 1Password's end-to-end encryption and security?

    -Dave

  • fredemmott
    fredemmott
    Community Member

    In my case, I want to continue using a yubikey for some accounts, not iCloud.

    It is inconsistent that this appears to be a supported option on every platform on iOS, and bluntly the responses saying to just use 1password instead are a little tone-deaf and feel like the infamous "you're holding it wrong".

  • fredemmott
    fredemmott
    Community Member

    To give one example though: if I register a yubikey with discord, for example, I can then log in to Discord on a machine I don't trust enough to put a 1password installation on to. I could create a separate account with a shared vault, but that counts towards my plans' account limits, is more work, and requires storing my passwords and second factor in the same place.

  • Dave_1P
    edited November 2023

    @fredemmott

    Thank you for the feedback! Just to clarify, are you using the YubiKey as the single source of authentication for Discord? Or are you using the YubiKey for two-factor authentication after entering your password?

    If it's the latter then you should still be able to use the YubiKey for two-factor authentication even if 1Password is set as the provider of passkeys on your iPhone/iPad. Is this not working? What do you see when you try to use the YubiKey when signing in?

    -Dave

  • fredemmott
    fredemmott
    Community Member
    edited November 2023

    Sorry, Discord was a bad example; it's a second factor, as a non-resident key. The previous version of the Discord iOS app attempted to register resident single-auth-method passkeys, but this appears to be a bug as it was not possible to log in with them on any platform, and after their update, they register non-resident as a second factor everywhere.

    There are several sites (e.g. github) which support resident passkeys where I use a yubikey as the sole authentication method, and the current iOS implementation of 1password makes this extremely awkward. This really feels like an oversight in the iOS app given that:

    1. turning this feature off is documented at https://support.1password.com/save-use-passkeys/#get-help - but the article does not mention that the option does not exist on iOS.
    2. the option to turn the feature off exists and works fine in the Windows and Mac 1password apps.

    There is nothing fundamentally different about my requirements for passkeys on Windows/Mac and on iOS, and a cross-platform password manager should have consistent cross-platform behavior.

  • @fredemmott

    I'm sorry for the confusion. The article that you linked to is for 1Password in the browser, our extension for desktop browsers.

    On the iPhone, passkeys are saved and used with iOS AutoFill rather than our browser extension which is why you're not seeing the same option there. You can find our guide on using iOS AutoFill here: Use 1Password to save logins and sign in to apps and websites on your iPhone and iPad

    That being said, thank you for the feedback. I've passed your request along to the team internally so that they can look into this further. 🙂

    -Dave

    ref: dev/core/core#24139
    ref: 37012221

This discussion has been closed.