Mastodawn

iOS has an entire facility for third-party credential managers to plug into to be a data provider for passkeys.

Some third-party credential managers have instead decided to overwrite the JavaScript API in web browsers for passkeys and security keys, making it difficult for users to use the OS functionality, causing user experience havoc.

I’ve made my thoughts on this reckless behavior clear to them and will do what I can to fix this situation up. https://macaw.social/@april/111121055176419392

April King (@[email protected])

Can’t get iOS 17 and 1Password to stop fighting, seemingly can’t use 1Password only for passwords and iOS only for passkeys. Downright wild how passkeys went from a promising replacement for passwords to an awkward mess that confuses even security professionals.

Macaw-Social

Ricky Mondello Sep 25, 2023

It’s pretty wild to use a web extension to overwrite browser built-in security-related API, like the WebAuthn API, when a browser and OS distributor has gone out of their way to build an entire API surface for you to plug into.

While this growing pain is figured out, please remember that passkeys are a password replacement, and most people aren't juggling two credential managers around.

Either way, I’ve heard the feedback, but there are others who should hear it, too. :)

Ricky Mondello Sep 25, 2023

Everyone has their reasons for doing things. The multiple password managers (it’s not just one!) who are doing this are doing it for good reasons:

1. They want to innovate with the user experience and improve user understanding.
2. This is what they *have to* do on some platforms, because there’s no other way to deliver passkey integration.

These are growing pains while everyone works together to figure this out. Everyone is acting in good faith. So no negativity in the replies, please. :)

Ricky Mondello Sep 25, 2023

Despite their early success, we’re still toward the beginning of the passkeys journey. Lots of incredibly smart and well-meaning people are doing their best to make this happen.

The folks who I’m ribbing on here about their web extensions are some of my favorite industry collaborators. The best of the best.

So why say anything publicly? I just want people like y’all to understand that many parties are trying to figure this all out.

Tobias Horvath Sep 25, 2023

@rmondello Don't worry. I know you are just trying to elevate Passkeys out of their infancy and everyone appreciates it.

The commentary is very appreciated.

I myself have reached out about this multiple times already—albeit with less influence.

Daniel Durrans Sep 25, 2023

@rmondello I find passkeys really exciting. One of the most exciting things to have happened in end-user IT for a long time.

But... even I am a little apprehensive. If I lose a password I only have myself to blame. But I am jaded enough not to trust technology to keep my passkeys safe.

The other component is Lost Password processes which tend to bypass all other security and rely on email being secure.

Craig Hockenberry Sep 25, 2023

@rmondello How many years did it take to get into the password mess we're in now?

I used a Unix box in 1987 where we all shared the root password. In 1997 it was Basic Auth over http. In 2007 I started using more than one password. In 2017 a password manager entered the setup.

It's fair to think it's going to take awhile to get out of this mess.

Kelly Guimont Sep 25, 2023

@chockenberry @rmondello thanks Ricky! I know for some people it might feel tedious, but the more people talk about passphrases*, the more people will talk about them and maybe ask questions and better understand.

*I'm trying not to call them passwords anymore so people will presume it needs to be more than one word with some creative number substitution.

Jim Luther Sep 25, 2023

@chockenberry @rmondello My first project for Mac OS X (I was still on the Mac OS 9 team at the time) was adding digest authentication to the WebDAV file system for iDisk.

Eric Kobrin Sep 26, 2023

@rmondello I don't want my pass(words|phrases) stored on hardware that I don't own – ever. Even with the best of intentions, we still live in a world where the third-party doctrine exists.

Ricky Mondello Sep 26, 2023

@erluko I just want to make sure I learn something from your message. What if nothing ever sits at rest unencrypted with some third-party, and the sync protocol is peer-to-peer and end-to-end encrypted?

Eric Kobrin Sep 26, 2023

@rmondello I absolutely understand. The design looks resistant to many common failure modes that others wouldn't have covered. Great! It looks like just about the best that can be done right now for people willing to use that kind of thing.

The issue here includes offline attacks, lawful intercept, or even software changes made under threat of force.

For data storage whose contents is divulged in discovery or subpoena, a strong-enough key today won't necessarily be strong enough later and the other parties who received copies of the data have no incentive to protect end users of the original cloud-storage owner.

In this particular case, my OS vendor is offering to encrypt the data locally – but they own the local OS, the browser, and the remote storage. Only one company has to be forced to introduce a flaw in order to leak secrets elsewhere.

I'm not saying it would happen willingly!
Your company has a great track record here!

But a secret not divulged in any way to a third party is a secret that can't be stolen from that third party.

Ricky Mondello Sep 26, 2023

@erluko I gotcha. Just wanted to make sure *this* was the realm of thing you were talking about. Thank you for your time!

Eric Kobrin Sep 26, 2023

Thank you for reading and responding to all of the people on this thread. I absolutely feel heard and I appreciate it!

QuarterSwede Sep 26, 2023

@rmondello You’re such a great person. I love this.

Tobias Horvath Sep 25, 2023

@rmondello The positivity reply then is: I LOVE THEIR PASSWORD MANAGER SO MUCH I PAY A MONTHLY FEE FOR IT. I just wish they improved in some areas :3

KDDLB Sep 25, 2023

@rmondello I mean, the only way to use passkeys on Firefox is through a browser extension 😅

Gracjan Nowak Sep 25, 2023

@kevin @rmondello Or by storing them on a physical security key. Also, a Firefox employee announced they’re planning to bring passkey support by November 21. https://connect.mozilla.org/t5/ideas/support-webauthn-passkeys/idc-p/39321/highlight/true#M22887

Re: Support WebAuthn Passkeys

Thank you for your ongoing engagement and enthusiasm regarding the implementation of WebAuthn Passkeys in Firefox. We understand that this feature is highly anticipated by many developers and is crucial for the future of web development. The team is actively focusing on this feature and on track to ...

Brian Lewis Sep 25, 2023

@rmondello Would that be why I can only log into my apple accounts via password? Using 1Password.

Glyph Sep 25, 2023

@rmondello I can’t really speak for 1password here so I could definitely be wrong, but it seems obvious to me that 1Password has an interest in a consistent cross-platform user experience that specifically does *not* look like the Apple UX, and they’re trying to own the security experience so users only have one thing to learn on all their browsers.

That said they definitely flubbed the implementation and it doesn’t work right. But apple’s extension point seems insufficient from my perspective.

Glyph Sep 25, 2023

@rmondello FWIW this is why I find it impossible to recommend passkeys to replace passwords despite really wanting to. Passwords are easy to explain if you need to deal with them: it’s text, you can read it out, you can type it in. Even TOTP keys are manageable as text if you can figure out how to access the seed. But passkeys still regularly involve understanding strings of words like “use a web extension to overwrite browser built-in API” when you need to access a bank account in an emergency

Ricky Mondello Sep 25, 2023

@glyph Most people don’t need to use non-OS provided software to use a passkey, so no web extension shenanigans should ever be involved.

Glyph Sep 25, 2023

@rmondello “most people” in what sense? Chrome is 60% of the browser market and rarely in a configuration where it’s OS-provided.

Ricky Mondello Sep 25, 2023

@glyph Most people in the sense of:
1. some of this is still being built out, but on Apple’s platforms:
a. Chrome on iOS makes use of iCloud Keychain’s passkeys
b. https://9to5google.com/2023/09/14/chrome-118-icloud-passkey/

Chrome for Mac will soon let you access iCloud Keychain passkeys

Chrome 118 for Mac will let you access passkeys in iCloud Keychain. It follows Apple making it so that Chrome can access iCloud passwords...

9to5Google

Alticus Sep 25, 2023

@rmondello I really don’t want to use 1Password or any other 3rd party tool but I need sorting capabilities. I beg you, can you please advocate for ability to sort passwords by: last created, last updated, and last used etc… if I had that I think I’d switch completely out of 1Password. Pretty please? Also a dedicated home screen icon without having to use shortcuts for it would be great too 😅

Ricky Mondello Sep 25, 2023

@Alticus Thanks for the feedback about sorting! I’ll see what we can do.

Alticus Sep 25, 2023

@rmondello Thanks for being approachable and kind enough to respond. ❤️

Bernd Sep 25, 2023

@Alticus @rmondello This! Apple making a proper password app would do wonders for adoption.

Steve Tibbett Sep 25, 2023

@rmondello Seems inevitable that a password manager company is going to want to replace the built-in functionality. I appreciate your efforts to work with them.

Ovi Sep 25, 2023

@rmondello I’m so desperately eager to drop 1Password and move 100% to macOS password manager and passkeys, but that migration process is so convoluted, and macOS doesn’t offer a migration tool that can handle the edge cases.

Like, exporting out of 1P and importing into macOS basically requires the data to be perfect, or fields or entire sets of data get lost in the process.

Daniel Luz Sep 25, 2023

@rmondello Agreed! And I wish macOS had the same feature 😉😉

It’s crazy to me 3rd-party password managers haven’t been pushing for this on the desktop. Tavis Ormandy wrote extensively about the fundamental issues with extensions (IIRC he found flaws in every single popular manager), and they apparently insist in trying to cover the sun with a sieve.

Daniel Luz Sep 25, 2023

@rmondello Though I must say, iOS has a behavior that drives me up the walls: I use the OS feature to fill in a password using 1Password (no web extension crap), submit, and iOS promptly asks me if I want to save this in Keychain. If I just filled the credentials using a third party, it shouldn’t ask!

Ricky Mondello Sep 25, 2023

@dluz If you only want to use 1Password, and not iCloud Keychain, you can uncheck iCloud Keychain in Settings > Passwords > Password Options.

Daniel Luz Sep 25, 2023

@rmondello I’m aware of that setting, but it’s too radical for me. I intentionally keep some passwords in Keychain for various reasons like convenience (see my other comment on macOS experience, for example).

This is why I wish iOS were more respectful of my use of multiple sources. Right now if I *had* to choose only one I’d go with 1P, but every year I’m more and more tempted to jump ship. (Great work, btw!)

Ricky Mondello Sep 25, 2023

@dluz I appreciate you talking to me about this. It’s helping me see things from another perspective. I 100% see where you’re coming from, but I also think about how any amount of extra configuration can lead to people basically breaking (and then forgetting how they broke) their setups. Such an interesting balance!

Daniel Luz Sep 25, 2023

@rmondello By the way… may I ask what exactly does “Set Up Verification Codes Using” do? Is it just for TOTP, i.e. will SMS/email autofill still work if I choose a different provider?

Ricky Mondello Sep 25, 2023

@dluz It's just for TOTP setup, the opener for the otpauth: URL scheme

JT Sep 29, 2023

@rmondello I’m here via Reddit and 1PW’s AMA at ~3am, so forgive me if I’m misremembering this, but the other day I wasn’t able to use my NFC Yubikey for 2FA on iPhone because I had Keychain unchecked and *only* had 1Password (and GoogleAuth for TOTP) checked. Safari simply failed with no error before the usual sheet style prompt. Re-checking Keychain as a source allowed Safari to work as expected.

The only reason I keep Keychain turned off is because of how obnoxious and unpredictable it is with being greedy - trying to be the sole manager - as if 1PW wasn’t checked also.

Ricky Mondello Sep 29, 2023

@JT This is a very bad bug. It’s fixed in the current beta of iOS 17.1. I’m so sorry for the inconvenience it’s caused you and others.

JT Sep 29, 2023

@rmondello I’m just glad it’s a known one and not something I imagined. It’s not really that inconvenient for me. Pretty rare that I use NFC for 2FA, but Google was being insistent.

Unless you were talking about the unpredictable behavior for when Keychain and 1PW are both checked. That one’s still annoying because I can’t figure out any pattern to why sometimes iOS insists on pulling up Keychain straight away, as if 1PW wasn’t also checked. (Canceling Keychain then touching the password button again usually brings up the expected prompt to choose.)

JT Sep 29, 2023

@rmondello PS. Thanks for the (unexpected) speedy reply to a 4 day old thread, at almost 1am your time. That’s very old school (2007-2008) Twitter vibes.

Ricky Mondello Sep 25, 2023

@dluz macOS has the same system-wide password manager integration that iOS has, and it has for years! And in macOS Sonoma, which has been announced to be released this Tuesday, it’s expanded to include support for passkeys. https://www.macrumors.com/2023/09/24/macos-sonoma-launch-date-and-features/

macOS Sonoma Launching This Week With These New Features

Apple previously announced that macOS Sonoma will be released this Tuesday, September 26. The free software update includes many new features and...

MacRumors

Daniel Luz Sep 25, 2023

@rmondello Wait, what?? I’m writing to 1P right now!

Jonathan Lang Sep 25, 2023

@dluz @rmondello at least on macOS, the 1P extension gives you a (pretty hidden) option to turn off saving passkeys… doesn’t exist on iOS

Rick Sep 25, 2023

@rmondello 1P works better than appleOSs’ managers, and is cross-platform, a capability I need. Passkeys don’t yet work everywhere (hardly anywhere). I’ll be using multiple credential managers for a long, long time, I suspect.

Ricky Mondello Sep 25, 2023

@JetForMe I appreciate your perspective on your own situation.

@JetForMe @rmondello and also 1P doesn't have a fundamentally broken security model. (i assume)

I assume 1P built the browser API hijacking implementation before the official API released, and didn't want to replace their cross platform system they aready had and build a new one that only works on one platform

@rmondello ...and with iOS 17 it gets even more broken because any logged in device gets a passkey for your Apple ID that you cannot turn off

Rick Sep 25, 2023

@tay @rmondello to be sure, 1P has gotten worse in many ways. I still haven’t updated to 8, because it’s written in Electron. Every time a company chooses some cross-platform solution, things get terrible.

But it also does so much more than keychain, like storing secure notes and files, and letting me add arbitrary info to all records, etc.

Guillaume Ross Sep 25, 2023

@rmondello I think what most of us want is the ability to say passkeys use the OS, and passwords are always in the third party password manager.

I’ve got negative interest in ever having a passkey in a 3rd party password manager.

I should’ve reported this during beta but I wasn’t sure since it felt by design and not an actual bug…

Matthieu Weber 🇫🇷/🇫🇮Sep 25, 2023

@g
if I used passkeys, I would not want to have them tied to one vendor. If I want to switch vendors, I want to be able do to so without having to change all the passkeys.

Stop me if I misunderstood how passkeys are managed by iOS, Android or Windows, but there seems to be, by design, no way you can transfer passkeys from one device to another, making it effectively even harder to switch vendors.
Putting passkeys in an independent password manager seem so solve that problem.

Guillaume Ross Sep 25, 2023

@matthieu @rmondello if you want that you can use 1P for all. It doesn’t allow exporting passkeys yet but doing this would work. I would never want this, the actual problem is it’s not much harder than before to have passkeys at OS built-in level and passwords in a third party manager.

Matthieu Weber 🇫🇷/🇫🇮Sep 25, 2023

@g @rmondello I think I understand. But what motivates you to have passkeys in the OS instead of an independent password manager? As you can probably read between the lines, I am very much against vendor-locking users, and having passkeys managed by the OS seems to yet increasing vendor-locking.

Guillaume Ross Sep 25, 2023

@matthieu I want my devices to be my authenticators, leveraging hardware security features. If I ever wanted to completely switch I’d login and setup Android passkeys or whatever. I feel like the odds of vulnerabilities in 1P or their cloud are higher as well.

Matthieu Weber 🇫🇷/🇫🇮Sep 25, 2023

@g and is it possible to login to service XYZ with any of those devices? In which case I suppose you rely on having multiple devices so that one device can act as a backup authentication device in case you lose the other one. Did I understand correctly?
I'm currently trying to figure out how it would be possible to recover from losing an authenticator device when using only passkeys.

Guillaume Ross Sep 25, 2023

@matthieu I’ve got multiple devices, but if I lose them all I can restore one from an end-to-end encrypted cloud backup provided I can login to iCloud and have my 2nd factor and have the password to a prior device. (You can also configure legacy contacts and account recovery help, and don’t need to use a U2F key as 2nd factor)

Guillaume Ross Sep 25, 2023

@matthieu The passkeys are synced using iCloud Keychain which is end-to-end encrypted so the keys become available on all your devices at once (which for some who use their personal iCloud on work devices isn’t great but there were already 982 reasons not to do that)

Mieszko Ślusarczyk Sep 25, 2023

@rmondello
@1password being at it again I see?