1P prompts to capture Passkey from Okta even when Okta is needed to login to 1P
Our company uses 1Password with Okta for authentication. Passkey support in the 1P browser extension now tries to capture FIDO2 key registration in Okta. This causes a deadlock problem - our users have been putting their Okta passkey in 1P and then are unable to login to Okta because the passkey needed is locked in 1P.
I don't see any other discussions on this, so I'm wondering if I'm missing a setting somewhere. Has anyone else run into this?
1Password Version: Not Provided
Extension Version: Not Provided
OS Version: Not Provided
Browser: Not Provided
Comments
-
Hello @jgirelliniVL ,
I'm Scott on the 1Password support team. It's nice to meet you.
Thanks for asking about using 1Password in the Browser in conjunction with passkeys and security keys. It's my pleasure to discuss this with you today.
Version
2.15.0
of 1Password in the browser (the extension) introduced 1Password's support for creating, saving, and using passkeys to sign in to websites, and for two-factor authentication. By default, it intercepts all compatible WebAuthn requests, including those that may have previously caused your browser to prompt for using a security key.There are a few things you may wish to do to make better use of this new feature:
When possible, keep 1Password unlocked, so it's able to tell if you have any passkeys stored for a website, and act accordingly. While locked, 1Password still intercepts the requests, but shows a screen asking to unlock 1Password, in case you have any passkeys saved and wish to use them.
There are new settings to control how passkeys are used, if your team isn't yet ready to use passkeys.
- Individual team members can configure 1Password in the browser to not save or sign in with any passkeys. Right click the 1Password icon in the browser toolbar > Settings > Autofill > disable "Save and sign in with passkeys". Repeat this process in other browsers or browser profiles, since the setting is stored per installation of the extension.
- 1Password Business accounts include a policy that allows for passkey functionality to be disabled for their team. To access it, an owner or administrator can Sign in to the 1Password website, then navigate to Policies > App usage > Manage > Passkey item support, and disable the feature. This will prevent the prompt from being shown in some situations, passkeys in the account from being used, and prevents new passkeys from being created in the account. Existing passkeys will not be removed.
Make sure your team is using 1Password in the browser
2.15.1
or newer, which includes a fix to allow 1Password Business policies for passkey support to be respected in more circumstances. Team members will need to unlock 1Password in the browser at least once after the policy is changed, or after they clear browser data for the policy to go back into effect.
There is also a security key fallback button in the prompt to use a passkey. It's the icon next to the close button in the attached screenshot, which I've highlighted. Anyone who sees the passkey prompt can click that button any time they wish to pass the request on to their browser or device to handle without 1Password. This will allow you to continue using a physical security key, or passkey provided by your browser or device. When unlocking Okta to unlock 1Password, it's probably the best option to use.
I hope this information helps. Be sure to let me know if you have any questions.
0 -
Hi Scott, thanks for your reply.
We did disable passkeys for now, but that's something we don't really want to do long term. I'm aware of the fallback button, but this is difficult to convey to hundreds of users and I would really like to see some more granular controls here for enterprise customers. Is there a feature request for a per-domain passkey blocklist? This would be a non-issue if we could just configure 1Password to ignore passkey requests from Okta.
0 -
Hello @jgirelliniVL,
I've passed your feature request for domain specific policies to block passkeys, so your team won't be prompted to unlock 1Password while trying to sign into Okta, to unlock 1Password. I don't currently have any information indicating if or when 1Password may be able implement this, but you can rest assured that the issue is on our radar, and we appreciate your contribution to 1Password's evolution.
Let me know if you have any questions, and have a wonderful weekend.
ref: PB note 38000519
0 -
Thanks Scott, appreciate your forwarding that. I don't suppose there's a publicly available roadmap board where requests like this can be tracked?
0 -
Hi @jgirelliniVL,
At this time there is no publicly available roadmap, but in what may win the award for meta statements in my day, a public roadmap is also on our roadmap. For now, your best bet would be to check in again here, or ask about "Insight #38000519" in any future contact with 1Password.
Cheers,
0 -
Got it. Thanks Scott.
0 -
Thanks again for the feedback! 🙂
-Dave
0