Viewing passkeys

Locate_The_Any_Key · October 2023

Are there any plans to allow passkeys to be viewable?

1Password Version: Not Provided
Extension Version: Not Provided
OS Version: Not Provided
Browser: Not Provided

XIII · October 2023

Why would you want that?

GreyM1P · October 2023

A passkey is essentially just a private-public key pair so doesn't really have anything human-readable in it, or at least not in a useful way. Here's the raw data from an example passkey to show you what I mean:

{
  "overview": {
    "title": "Demo Passkey",
    "passkey": {
      "credentialId": "3cWfCrLeH42_d5Mr-v9L4Q",
      "rpId": "passage.1password.com"
    },
    "ainfo": "—",
    "ps": 0,
    "pbe": 0.0,
    "pgrng": false,
    "b5AccountUUID": "[redacted]"
  },
  "details": {
    "passkey": {
      "type": "webauthn",
      "createdAt": 1696240231,
      "privateKey": "eyJrdHkiOiJFQyIsImNydiI6IlAtMjU2IiwiZCI6ImkyeWEwcGVNTUliekpFSzRLWTJfTFV0OVEwRzN4YXVxLWJmdUVFa3ZmYU0iLCJ4IjoiOGt0LWt3MS15THZoUklnYnA0STQ5SEpaWEt6V3I3WG5NX1ltV1JxcS1BOCIsInkiOiJZVWdiOV83TWljSXR4U1o2MHB3bHlUUjNLSERVdkNNeHdpYlJLdGozNjNjIiwiYWxnIjoiRVMyNTYifQ",
      "userHandle": "ZVJYbXkwNEw1WVJFU2FkUjlVNXlPNExz"
    },
    "fields": [
      {
        "id": "identifier",
        "type": "T",
        "value": "",
        "designation": "username",
        "name": ""
      }
    ]
  },
  "createdAt": "2023-10-02T09:50:31Z",
  "updatedAt": "2023-10-12T11:25:20Z",
  "faveIndex": 0,
  "trashed": "N",
  "templateUuid": "001",
  "uuid": "ufph3fsghf7jo2k4yqeaiqawdi"
}

The actual passkey field is the one containing the privateKey and userHandle, both of which are randomly generated.

If you're looking for any particular information held within a passkey, let me know and I may be able to direct you to the right place if possible. :)

— Grey

Locate_The_Any_Key · October 2023

Thanks for showing that, I’m assuming they’re exportable as well? That’s really my main concern, just like my passwords I’d like to be able to view and export all of my data that I put into 1Password. Passkeys are nothing more than a private key and should be viewable just like a password.

Dave_1P · October 2023

@Locate_The_Any_Key

Thanks for the reply. Passkeys can't be viewed in plain text by design, it's an important part of their resistance to phishing and one of the ways in which they provide better security than passwords. A passkey can only be used on the service that it was made for. If a passkey could be viewed in plain text then it could be phished just like a password can.

Can you tell me a little more about why you'd want to view the underlying passkey private key? I'm not aware of any website or service that can use those for anything and there isn't a way to import these into a different manager.

I look forward to hearing from you.

-Dave

Locate_The_Any_Key · November 2023

Hmm I see what you're getting at. Don't you think a password could be phished just as easily? But I see what you're saying, just like a Yubikey, you can't see your key thus making it more resistant to attacks. I was thinking of the mindset of backing up the key and/or sharing the key into another platform or with someone who you know who would need the same login.

Dave_1P · November 2023

@Locate_The_Any_Key

Don't you think a password could be phished just as easily?

The vulnerability of passwords to phishing attacks, and the protection that passkeys offer against such attacks, is one of the big reasons why 1Password and our industry partners as so excited about passkeys. Passkeys can't be phished like traditional passwords because the underlying private key never leaves 1Password.

I was thinking of the mindset of backing up the key and/or sharing the key into another platform or with someone who you know who would need the same login.

You can share a passkey with a family member just as you can a password: Share passwords with your family

I hope that helps!

-Dave

Viewing passkeys

Comments