Feature request - Please adjust the popup's behavior for passkey creation
Hi,
I'd like to suggest a change in the popup's behavior for passkey creation: now, when creating a passkey but also when adding a physical key for 2FA, 1Password will show the popup for the creation of a passkey.
I think that this behavior is confusing: for example, according to 1Password, I created a Passkey for GitHub, but in reality that passkey in 1Password is a physical key for GitHub.
And there are also other examples, like X (ex Twitter) for example.
I attached some photos to better understand what I'm saying; see both dates on 1Password app and GitHub website in the security keys section, while the passkey section is empty.
Thanks.
1Password Version: 8.10.28
Extension Version: 2.21.0
OS Version: Windows 11
Browser: Edge
Comments
-
Hello @nicos18!
I'm sorry for the confusion. Both passkeys and security keys use the same underlying webauthn technology which is why you're seeing the prompt from 1Password appear in your browser. If you'd like to add a physical security key for two-factor authentication to your Github account you can click on the security key icon in the prompt to dismiss 1Password and use your security key instead:
If you'd like to save a passkey for sign-in to your Github account, not a security key for two-factor authentication, then make sure to select the appropriate option on the Github website.
Let me know if you have any questions.
-Dave
1 -
Hello @Dave_1P,
Thank you for the explanation.
As 1Password detects both a passkey and a physical security key as a same thing, a workaround that I found is to add to the main item a passkey, and then create a second item for the security key; in this way I can have both elements.
But I hope that, in a future build, 1Password will support more than one passkey stored, as not all services provide the option to upgrade a physical security key to a passkey (at this time, I only found GitHub offering this option).
Thank you.
0 -
Thanks for the reply. Two-factor authentication (like physical security keys) was designed to add an additional layer of protection to passwords against phishing. Passkeys are already resistant to phishing and can be considered to have the same level of security as a password plus two-factor authentication.
You only need to save your passkey for sign in in 1Password, there's no need to save the security key as a passkey in 1Password as well. This advice is consistent with what Github says in their official documentation:
Once you have added a passkey to your account, you can use the passkey to sign in safely and securely to GitHub.com without having to enter your password or perform two-factor authentication (2FA).
I hope that helps. 🙂
-Dave
1