Ricky MondelloSep 25, 2023

iOS has an entire facility for third-party credential managers to plug into to be a data provider for passkeys.

Some third-party credential managers have instead decided to overwrite the JavaScript API in web browsers for passkeys and security keys, making it difficult for users to use the OS functionality, causing user experience havoc.

I’ve made my thoughts on this reckless behavior clear to them and will do what I can to fix this situation up. https://macaw.social/@april/111121055176419392

April King (@[email protected])

Can’t get iOS 17 and 1Password to stop fighting, seemingly can’t use 1Password only for passwords and iOS only for passkeys. Downright wild how passkeys went from a promising replacement for passwords to an awkward mess that confuses even security professionals.

Macaw-Social
Show threadRicky MondelloSep 25, 2023

It’s pretty wild to use a web extension to overwrite browser built-in security-related API, like the WebAuthn API, when a browser and OS distributor has gone out of their way to build an entire API surface for you to plug into.

While this growing pain is figured out, please remember that passkeys are a password replacement, and most people aren't juggling two credential managers around.

Either way, I’ve heard the feedback, but there are others who should hear it, too. :)

Show threadDaniel LuzSep 25, 2023

@rmondello Agreed! And I wish macOS had the same feature 😉😉

It’s crazy to me 3rd-party password managers haven’t been pushing for this on the desktop. Tavis Ormandy wrote extensively about the fundamental issues with extensions (IIRC he found flaws in every single popular manager), and they apparently insist in trying to cover the sun with a sieve.

Show threadDaniel LuzSep 25, 2023
@rmondello Though I must say, iOS has a behavior that drives me up the walls: I use the OS feature to fill in a password using 1Password (no web extension crap), submit, and iOS promptly asks me if I want to save this in Keychain. If I just filled the credentials using a third party, it shouldn’t ask!
Show threadRicky MondelloSep 25, 2023
@dluz If you only want to use 1Password, and not iCloud Keychain, you can uncheck iCloud Keychain in Settings > Passwords > Password Options.
Show threadJT

@rmondello I’m here via Reddit and 1PW’s AMA at ~3am, so forgive me if I’m misremembering this, but the other day I wasn’t able to use my NFC Yubikey for 2FA on iPhone because I had Keychain unchecked and *only* had 1Password (and GoogleAuth for TOTP) checked. Safari simply failed with no error before the usual sheet style prompt. Re-checking Keychain as a source allowed Safari to work as expected.

The only reason I keep Keychain turned off is because of how obnoxious and unpredictable it is with being greedy - trying to be the sole manager - as if 1PW wasn’t checked also.

Sep 29, 2023 at 7:45amWeb
Show threadRicky MondelloSep 29, 2023
@JT This is a very bad bug. It’s fixed in the current beta of iOS 17.1. I’m so sorry for the inconvenience it’s caused you and others.
Show threadJTSep 29, 2023

@rmondello I’m just glad it’s a known one and not something I imagined. It’s not really that inconvenient for me. Pretty rare that I use NFC for 2FA, but Google was being insistent.

Unless you were talking about the unpredictable behavior for when Keychain and 1PW are both checked. That one’s still annoying because I can’t figure out any pattern to why sometimes iOS insists on pulling up Keychain straight away, as if 1PW wasn’t also checked. (Canceling Keychain then touching the password button again usually brings up the expected prompt to choose.)

Show threadJTSep 29, 2023
@rmondello PS. Thanks for the (unexpected) speedy reply to a 4 day old thread, at almost 1am your time. That’s very old school (2007-2008) Twitter vibes.