Recent searches
Search options
I vibe with this. Does anyone have any examples of where and how any vendor’s dialogs around passkeys might lead people astray? The more feedback, the better.
https://infosec.exchange/@adamshostack/113743707996398149
@rmondello Personally for me the biggest issue I have is I want passkeys in iOS and passwords in 1Password (can’t migrate yet), and 1P has this tiny little USB security key icon, and then macOS sugggests password related things. This experience was better a couple years ago before 1P did passkeys and before the passwords app :/
@g The article we’re discussing was trying to make an argument around “normal” people, I think. People who don’t use Mastodon.
That said, let’s talk about you personally, because you were kind enough to share with me, and I appreciate that!
Can you tell me more about why do you want passkeys in Apple Passwords and passwords in 1Password, instead of using one provider (even if it’s 1Password, which is great software!)?
@rmondello I don’t want to ADD more in 1Password like new passkeys, I want them platform level, but I can’t move my 1P usage out completely yet and don’t want to fragment where I have passwords.
But 1P starting to do passkeys and hijacking security keys has caused me issues at work where people tried to 2FA with Yubikeys and could not figure out how to not have 1P hijack the dialog because the freaking USB stick icon is minuscule :/
@g I think it’s been a profound mistake on 1Password’s part that 1Password on desktop intentionally ignores the platform-native way to plug passkey data into web browsers and instead implements passkeys by hijacking the web API via their browser extension. (On iOS, however, they properly integrate as a data source.)
@rmondello For “normals” I’ve seen confusion with local Chrome passkeys too etc. Overall I think people are just concerned they don’t understand things will be reliable long term as opposed to a password they can store on paper on in their heads. But 1P… I’ve disabled its passkey support completely in many orgs cause WTF
@rmondello Pre Electron 1Password team would’ve done it right.
@rmondello @g agree. It’s a really bad UX
@g The good news is that everyone involved here is working in good faith and cares a lot about their users. The great news is that there’s still time to make the software work better.
I completely agree.
@rmondello To be completely honest I think the issue is *we* would like the transition to happen in 2 years, but considering tons of websites still block special characters, long passwords and force expiration, this is likely something that takes deep root over a 10 year period.
@rmondello @g 
I’ve disabled the Safari extension on iOS and I don’t feel like I’m really missing anything. In fact the overall experience seems better to me. Wish I could do the same on the Mac.
@rmondello
I am not a Safari user so I’m not sure about there, but unless I’m mistaken their passkey support predated the macOS APIs to do that properly in other browsers? Is there an example of another third party password manager supporting it the proper way? I’d love to see the difference.
@sam I think that Strongbox does it the native way.
https://apps.apple.com/pl/app/strongbox-password-manager/id897283731
@rmondello @g The inability to use passkeys from 1Password in Safari when Lockdown Mode is enabled is very annoying. (I assume this is also a consequence of their hacky implementation.)
@rmondello everything about the 1Password 8 UI is a mistake. All I can think is that they've totally lost sight of their users. I wish there was better competition (Strongbox seems nice on Apple platforms but has no useful way to share vaults with other users; Apple Passwords is closer this year but still missing a lot of key features)
@rmondello What search terms or documentation shows how to use the native methods with Chrome or Safari? I'm crazy and want to make my own passkey provider on a weekend.
This prototype pollution has bothered me greatly the last two years and I'd love for this specific prototype to be read only. In my eyes it makes the PRF extension dangerous to build upon.
@rmondello is this the right API for Safari?
https://developer.apple.com/documentation/authenticationservices/ascredentialproviderviewcontroller
@rmondello @g
Have you checked how other tools like BitWarden handle this?