Passkeys are a "black box" in 1Password
1Password supports passkeys and they can be stored to login to websites already implementing them (Google, GitHub and some others).
But they are very much a black box in 1Password: all I can see is that a passkey is saved, and I see the creation date.
I can't export the private key, I can't export the public key, I can't see what algorithm has been used to generate the key etc.
Is it possible to get more details about a saved passkey? In the end it is my passkey, I should have a lot more than just seeing it exists.
Also, knowing how there is a long list of possible algorithms supported by the various websites, I would find it useful to easily see what kind of passkey has been generated.
How does 1Password decide what algorithm to use when it receives many options from a website? Is there a parameter to influence that choice?
Why keeping it such a black box?
1Password Version: 8.10.28
Extension Version: 2.21.0
OS Version: Windows 10
Browser: Chrome
Comments
-
Hi, what I'm thinking is that Passkey is still in beta and not finished but honestly, it's working perfectly
0 -
Sure it does work, but I would like to see more info about it.
I can understand that exporting the private key is maybe against the concept of passkeys, but exporting (seeing) the public key should be fine because in the end that is the key sent to the websites when creating a new key.And knowing what algorithm has been used for the key is important in case issues are discovered in the coming weeks or months with one of those algorithms, it would be nice to be able to easily identify which passkey should be removed and recreated, with a different algorithms.
I'm not reporting issues with passkeys in 1Password, just asking for more transparency.
1 -
Hello @Spoon2525! 👋
Those are good questions! First of all, passkeys can't be exported by design since there doesn't yet exist a standardized way to export and import passkeys in a secure and encrypted manner. Passkeys can't be phished like traditional passwords because the underlying private key never leaves 1Password, if you could export a passkey as a string to plain text then it would remove that phishing protection and downgrade passkeys back to just another "password" that could be stolen by a malicious actor.
That being said, 1Password is working closely with platform vendors and other password managers through the FIDO Alliance to create a secure way to import and export passkeys. We believe it’s your choice where to store and use your passkeys and hopefully the team is able to share more soon.
I'm not reporting issues with passkeys in 1Password, just asking for more transparency.
This is totally fair and, as members of the FIDO Alliance board, 1Password is ready to help the industry advance this technology and provide customers with transparency. We have an explanation for how passkeys (which use Elliptic Curve Digital Signature Algorithm public key cryptography) will stay ahead of advancements to encryption here: Will Quantum Computers Break Your Passkeys?
The team has also open-sourced the library that powers 1Password's ability to log in with a passkey so that we can help make passkeys more standardized and open. You can read more here:
- We’re Open-Sourcing the Library that Powers 1Password’s Passwordless Authentication
- GitHub - 1Password/passkey-rs: A framework for defining Webauthn Authenticators that support passkeys
Passkeys are still very early days and I'm very excited to see the developments that will happen as a result of the continued collaboration between 1Password and industry partners through the FIDO Alliance. 🙂
-Dave
0
