DUO Passwordless and 1Password

Options
System
System
in Business and Teams
This discussion was created from comments split from: Sonoma new password source selection menu.

Comments

  • mthor
    mthor
    Community Member
    Options

    Ahh. glad someone posted this issue. I have the same problem, but with an extra wrinkle of my company using Duo passwordless logins, so I use touchID on my Mac to auth to VPN.

    Because touchID is associated to my keychain, I have to enable iCloud Keychain in password options. Which is annoying for autofill on websites as it gives me an option to fill/save with the apple option and 1password option in the same space. So now im stuck either not using 1password autofill on safari or use iCloud Keychain autofill.

  • Dave_1P
    Dave_1P
    Options

    @mthor

    Thanks for posting your use case. I haven't used DUO's passwordless option myself and would like to learn a little more so that I can make sure that I've clearly communicated your situation to our product team.

    Are you seeing the iCloud Keychain filling menu just in Safari? What happens if you turn off the following option:

    1. Open Safari.
    2. Click Safari > Settings in the menu bar.
    3. Click AutoFill.
    4. Turn off "User names and passwords".

    You should no longer see iCloud's filling menu, are you still able to use Touch ID with DUO with this option turned off?

    I look forward to hearing from you. 🙂

    -Dave

  • mthor
    mthor
    Community Member
    Options

    Hi Dave,

    Thanks for the reply, but i have tried that, and it doesnt work. Unticking autofill on username/passwords in the autofill tab, disables 'Autofill passswords and passkeys' in password options, which then removes icloud keychain as an option below it (its just blank). So you're basically forced to use icloud keychain if you want to use touchID for Duo.

  • ScottS1P
    ScottS1P
    Options

    Hello @mthor,

    That's correct. It seems you've saved a passkey for Duo in iCloud keychain or on your device, and it is only accessible when the system is set to fill from that credential provider. It may also be possible for you to enroll a new passkey with Duo, which is stored in 1Password, but be careful about doing this since it could lock you out of both Duo and 1Password if both rely on the other service to unlock, and no other authentication deices are available.

    Let me know if you have any questions.

    Thank you,

  • mthor
    mthor
    Community Member
    Options

    Thanks ScottS1P.

    Looks like this was fixed by going to Duo device management settings and deleting the touchID associated with Safari. It seems to use the first one by default (as opposed to giving me an option to choose one). So when I removed the first touchID, it was able to use the 2nd one I had created, which was via 1pass. So now it used 1pass passkey by default to log in when trying to auth to the VPN.

  • ScottS1P
    ScottS1P
    Options

    Hello @mthor,

    I'm glad to hear you were able to get this working, and appreciate you sharing the process with us. I hope this will help others using Touch ID and passkeys with Duo too.

    Have a wonderful weekend.