Passkeys are not practical for most websites (even though they offer it)
Passkeys are generally a great thing. I also think the integration through 1Password is great. However, I still don't see the added value today. Most websites are not consistently switching to passkeys, because they still offer login with “User/Password” (without the option to switch that off). To keep this older login method secure, you should leave 2FA activated. However, this means that you also have to enter the 2FA code in the second step when logging in even with a passkey. This is the case with PayPal, for example. PayPal could at least introduce the option to only request the 2FA code if the user has logged in via “User / Password”. The current implementation makes passkeys somehow obsolete from a practical point of view (passkeys already have a second factor …).
With PayPal there is also the following issue: When I log in with my passkey, I am still asked for the 2FA code (as mentioned). Than 1Password does not fill this 2FA code automatically (not even via the clipboard). It also becomes inconvenient with the PayPal iOS app, but a little different: here the 2FA code is only copied to the clipboard if I have deactivated Face ID in the app. Unfortunately, the PayPal app does not offer the option of remembering the iPhone as a trustworthy device to skip the 2FA (not even with the tip from the web of uninstalling the app and then reinstalling it). In both cases, 1Password does not seem to correctly assign or recognize the 2FA input field if you have not previously entered the user and password.
I understand that some websites only switch to passkeys carefully and step by step, but there should exist the option for switching off the login via "User / Password" if the passkeys login method is activated (Synology does this very well).
It will probably take some time before the use of passkeys is implemented as practically on most websites as it is on Synology or, for example, on http://webauthn.io.
1Password Version: 8.10.24
Extension Version: 2.19.0
OS Version: macOS 13.6.4
Browser: Safari 17.2.1
Comments
-
Hello @Piwi! 👋
Thanks for sharing your experience! Passkeys are still early days and, as the industry adopts this exciting new technology, improvements to each service's implementation will follow. I did want to mention that we've made an improvement to the process on our end with the latest update to 1Password for iOS:
When you sign in with a passkey, the item’s one-time password will be copied to your clipboard automatically if it has one.
When it comes to websites requiring two-factor authentication even if you're using a passkey, or not allowing you to turn off your password, I would recommend sending that feedback to the website or service itself so that they're aware of your experiences.
Let me know if there's anything that I can help you with. 🙂
-Dave
1 -
Hello Dave,
what I like so much about 1Password is that you really interact with your community. Thank you for that. I just tested everything with PayPal (because that's a good example major page for being not consistent in passkeys). Here is my experience:
Mobile
I used the latest update to test it – and it works: The 2FA is being copied to the clipboard even when I use passkeys to log in. (By the way: You could implement the same for the login with Face ID, because the 2FA code is not being copied to clipboard then).Websites
I understand your point here, but you could implement the same in the desktop app anyway:When you sign in with a passkey, the item’s one-time password will be copied to your clipboard automatically if it has one.
Because this doesn't work and it's 1Password's business.
Best regards!
Piwi0 -
Thank you for the reply! I'll respond below:
I used the latest update to test it – and it works: The 2FA is being copied to the clipboard even when I use passkeys to log in.
I'm glad that 1Password for iOS copying the 2FA TOTP to the clipboard after signing using a passkey is helpful!
(By the way: You could implement the same for the login with Face ID, because the 2FA code is not being copied to clipboard then).
When you login to the PayPal app using the "Face ID" option, 1Password isn't involved there. Since 1Password never runs it never gets the chance to copy the 2FA TOTP to the clipboard. I'm not sure why PayPal is asking for a 2FA TOTP whenever signing in using Face ID since you've already added your PayPal account the app.
I understand your point here, but you could implement the same in the desktop app anyway:
We have an open internal work item to look into doing this, I'll add your feedback there. 🙂
-Dave
ref: dev/core/core#24349
ref: PB-380377600