How to make passkeys in 1Password certified?
Hello,
I want to use passkeys stored in 1Password for one website through which I can then sign into other government services (services offered to citizens).
But for this to work I need to use certified passkey.
They pointed me to this website to check if my passkey manager is certified. https://fidoalliance.org/certification/fido-certified-products/
So how can I deal with this? Can I somehow make 1Password passkeys certified? Or do you plan to include this certification at some point?
I want to use 1Password for all my logins and passkeys but this lack of certification could be limiting in some cases.
Thanks.
1Password Version: Not Provided
Extension Version: Not Provided
OS Version: Not Provided
Browser: Not Provided
Comments
-
Hello @oschif! 👋
FIDO's certification program is not available for software authenticators like 1Password at this time, but we are keeping an eye on this area to see what we can offer in the future.
I want to use 1Password for all my logins and passkeys but this lack of certification could be limiting in some cases.
Can you clarify the limitations that you're running into? Are you unable to save a passkey for a certain website in 1Password?
-Dave
0 -
I can add 1Password passkey to this website. But it wont allow me to login to government services without certified passkey.
This website is like middleman. I log into this website and it in turn logs me to government service.
But it only works if I have certified passkey.Here is link: https://www.mojeid.cz/en/support/two-factor-authentication/#system-key
I think it's the same as for the reason why Apple devices dont work so I will quite that part:
Some Apple devices can already be used as a system security key. However, it is not yet certified and unfortunately we cannot guarantee the correct functioning of these keys. It is therefore not possible to link your MojeID account to public administration services with an Apple device. The Apple system key can only be used to log in to your account or to web portals, etc.
Replace word Apple with 1Password and that's what I mean.
Is section Hardware key it's described even more clearly:
For access to public administration services it is necessary to add a physical key with a level of at least FIDO_CERTIFIED_L1.
0 -
Thanks for linking to that page! It looks like the website in question is referring to using hardware security keys which, as far as I know, can be certified currently. This would be something like a YubiKey, a physical device that you plug into the USB port of your computer.
Do you receive an error message when you try to use the passkey that you've saved in 1Password to sign in? To help me better understand the situation I'd like to ask you to take a screenshot of what you're seeing and attach it to your reply:
-Dave
0 -
No, I did successfully add 1Password passkey as system key.
But then it warns me it's not certified and I would not be able to use it for public administration services.
Like I said i want to use it as login provider for my countries government services.
https://obcan.portal.gov.cz/auth/nia/login
Here I pick MojeID.
And when I try to use it for logging in.
As you can see, i cant login into public administration services with MojeID because it requires for the passkey to be at least level 1 certified.
Thanks for your help.
0 -
I hope you will add the L1 certification level. It would allow me to use 1Password for logging into government services which I currently cannot.
You said that it's not currently possible for software based authenticators. I looked at requirements for L1 and it says "Any device HW or SW".
https://fidoalliance.org/certification/authenticator-certification-levels/
So maybe they started allowing software authenticators?
0 -
The team is closely following the development of certifications that apply to passkey authenticators like 1Password. As mentioned, this kind of certification currently only applies to U2F and FIDO2 hardware security keys, not software authenticators like 1Password.
The certification mentioned in the page that you linked to applies to FIDO's Universal Authentication Framework (UAF) which is a different protocol where the authenticator and relying party are the same company. For example, a bank may wish to create an authenticator for their services. UAF does not apply to authenticators like 1Password that want to authenticate any service, UAF only applies to a single service.
It sounds like the website that you're signing into currently requires either a hardware security key or an Android device "system key". Both passkeys and hardware security keys are a type of Web Authentication (WebAuthn) credential. WebAuthn is a standard developed by the FIDO Alliance (of which 1Password is a member): FIDO2: Web Authentication (WebAuthn) - FIDO Alliance
I've filed an issue with our development team to have them look into turning off 1Password's passkey prompts on the MojeID website in order to reduce confusion since passkeys saved in a software authenticator like 1Password won't work there. For now, it looks like using a hardware security key or an Android device are the options provided by the website for you to use. I recommend that you remove the passkey from both the MojeID website and from 1Password and then use either a hardware security key or an Android device as recommended by MojeID.
Let me know if you have any questions. 🙂
-Dave
ref: dev/core/core#32710
0 -
Yes, the MojeID website officially allows:
1) It's own authentication app
2) Physical hardware key like Yubikey
3) System key in Android or WindowsI thought that if system keys in Android and Windows Hello works then 1Password will work as well. But thanks to your explanation i now better understand that there is a difference.
I removed the 1Password passkey. Thanks.
0
