1Password seems to hijack webauthn rather than use CTAP for communication

Options
flindeberg
flindeberg
Community Member
in Browsers (Edge, Chrome, Firefox, etc.)

I might have misunderstood something about the passkey promises 1password made here. But it seems that the browser plugin hijacks all webauthn-calls rather than to emulate a proper CTAP authenticator.

Is this analysis correct?

How am I supposed to use CTAP BLE / NFC to use a key stored on 1password on my phone if I want to log in on a temporary computer which I do not want to store any authenticating information on?

1Password Version: Not Provided
Extension Version: Not Provided
OS Version: Not Provided
Browser:_ Chrome / Firefox

Comments

  • jac.pd_1p
    jac.pd_1p
    Options

    Hi @flindeberg

    In the Open Beta of saving and signing in with passkeys from 1Password, you will see a prompt appear from 1Password asking you if you would like to save the passkey you're creating into 1Password. You'll also see the same prompt if the 1Password in your browser detects that you have a passkey stored in your account for that website.

    If you wish to use a passkey stored in another location or save it in another location other than 1Password such as iCloud Keychain or Google Password Manager, you can dismiss the 1Password prompts and the request will be forwarded to your device/browser's passkey provider method.

  • flindeberg
    flindeberg
    Community Member
    Options

    Exactly! :-)

    I guess someone somewhere took a design decision to side-step CTAP, perhaps since registering a USB-HID-device is problematic for a browser-extension?

    My point here is that a core mechanism, but not required mechanism of passkeys according to the spec, is CDA, which normally relies on CTAP(2). I would have wanted to be able to use 1password-passkeys in a CTAP-process as a CTAP authenticator to, for example, a CTAP client in a browser on a different device.

    Hopefully using the 1password-binary as CTAP authenticator is on the roadmap (in combination with using the browsers built-in CTAP client)? And a setting to disable the webauthn/FIDO-hook to cater to the scenario where you might have 1password installed but for some reason do not want to use passkeys from 1password?

    Do view this as a feature request :-)

This discussion has been closed.