AWS Passkey is incorrectly listed in watchtower

Maelstromeous · September 2023

Watchtower is currently listing AWS (presumably because passkeys.directory is listing amazon.com as a supported site) with the ability to use Passkeys.

AWS supports hardware TOTP keys only, it does not support Passkeys currently.

Therefore, AWS entries should not currently be showing up in Watchtower.

1Password Version: 8.10.6
Extension Version: 2.16.0
OS Version: Windows 11
Browser: Chrome

smorimoto · June 2023

As the title says.

{
    "__type": "com.amazon.webservices.auth.identitymanagementadmin#WebAuthNRegisterInfoInconsistencyException",
    "message": "The Device Alias must be consistent among Begin and Finalize call. Or the Finalize call is not in the same principal as Begin call. "
}

1Password Version: 8.10.7
Extension Version: 2.12.0
OS Version: macOS 13.4
Browser:_ Chrome

ag_timothy · June 2023

Hi @smorimoto, thanks for checking out the passkey early access.

It looks like AWS doesn't support passkeys at the moment. To help show your interest in this support, you can vote for AWS on the passkey directory: https://passkeys.directory/requested-details/amazon-web-services/

In the mean time, you can use or continue using 1Password as an authenticator for your AWS account.

Let us know if there's anything we can help with and thanks again!

steph.giles · September 2023

Hey @Maelstromeous,

You're right, it seems to be appearing because Amazon.com does support passkeys. This is definitely unintended behaviour and we have an issue filed to see if we can improve this and I have added your report.

In the meantime, you can ignore the alert which will remove the alert on your AWS item and hide that alert from Watchtower.

Let us know if there is anything else we can help with!

ref: dev/core/core#24202

Maelstromeous · October 2023

@ag_timothy 1Password is listing AWS as supporting Passkeys via Watchtower. You may want to add an exclusion for AWS at this time as they do not support passkeys.

ajh0912 · October 2023

See also:
https://1password.community/discussion/142351/aws-passkey-is-incorrectly-listed-in-watchtower
https://1password.community/discussion/comment/696701#Comment_696701

notmax · October 2023

The Watchtower "Available Passkeys" feature is pretty frustrating right now:

Amazon is supported... but not AWS
Paypal is supported... but only on some operating systems... and I can't make it work even then
Instacart is supported... but for Shoppers only
Synology is supported... but for the website only, not the unit... and I can't make it work even then
Microsoft is supported... but for Live/Xbox only, not Azure.... and it's super clunky, try another browser

And on Windows, I couldn't even find the Passkey section, despite updating and the fact that Passkeys are mentioned in the update notes and they actually work.

Really, Passkeys in general should still be labeled as 'beta', but this is not the impression we get from blog posts, in app promotions, etc. Even better, showing some of the real world experiences folks are posting here would save a lot of time for those of us trying to do the right thing and stay ahead on our security.

ajh0912 · October 2023

@notmax

Amazon is supported... but not AWS

They're aware of this issue, as above

Paypal is supported... but only on some operating systems... and I can't make it work even then

1Password don't have control over the limitations PayPal impose - but yes it can certainly be annoying if advised Passkeys are possible for a login, only to find out your browser or device is not supported.

Synology is supported... but for the website only, not the unit... and I can't make it work even then

The https://account.synology.com website supports passkeys. I'm using physical Security Keys with my account currently. I don't think you can mix and match physical security keys and Passkeys with their implementation. I created a new test account and registering a Passkey worked okay, Firefox & macOS with 1Password extension. You register a passkey from the 'Security Keys' section.

Synology DSM (the actual operating system of the NAS units) also supports Passkeys, see this article. Note that the URL you are on when registering a Passkey or Security Key is very important. You need to keep in mind that a Security Key / Passkey can only be used on the same 'website' that you registered it on. So there are implications if you change the FQDN, DNS record or hostname of your NAS (depending on how you access it).

Microsoft is supported... but for Live/Xbox only, not Azure.... and it's super clunky, try another browser

They're aware of this issue

If you want to stop Watchtower suggesting any passkeys, just toggle 'Check for Passkeys' off in Settings > Privacy. It will be a while before Passkey support has less friction or 'gotchas'.

J4rm4n · February 24

In case anyone is wondering, AWS still does not support passkeys as I've just got the very same result as smorimoto.

To notmax's list I would add NVIDIA Store, which is incorrectly pointed out by Watchtower. While NVIDIA accounts support both MFA and passkeys, NVIDIA Store accounts (for some reason managed separately by NVIDIA) don't support either and Watchtower should reflect that.

EvonG1P · February 26

Hey @J4rm4n, thanks for writing in. I'm sorry for any inconvenience caused by this.

I've created an issue for our development team to look further into this. In the meantime, I'd recommend ignoring the Passkey Watchtower notification for the Nvidia Store Login item.

-Evon

ref: dev/core/core#28164

AWS Passkey is incorrectly listed in watchtower

Comments