Lack of "Credential Provider Extension" implementation
Reading the following post by Ricky Mondello (Apple's passkey evangelist and Passwords app developer), I'm wondering why 1Password doesn't use the built-in system APIs for authenticating passkeys, rather than hijacking the web browser API and injecting JavaScript into every page:
By listening to lots and lots of feedback, I’ve learned that if someone’s main experience with passkeys is with a password manager that doesn’t natively integrate into the OS it’s running on — instead, one that hijacks web browser API — they’re far, far more likely to think they’re not a great user experience.
Some browser extensions that replace the built-in OS experiences have done so much harm to how technologists view the technology.
I’m not saying that third-party, independent, cross-platform apps are bad. They’re fantastic! What I’m saying is that they should integrate into the native bindings to be a data source for all web browsers and apps on a platform. Nobody wants a credential that only works in web browsers and not other native apps.
It also has the side effect that passkeys don't work in native apps, which is becoming more problematic as many more apps require a (web-based) login to function.
The “Credential Provider Extension” mechanism is present on iOS, iPadOS, macOS, and visionOS, and popular password managers make use of it to perform passkey auth in browsers and apps on behalf of the user. It’s a lot more popular on iOS than on macOS, sadly. On iOS, 1Password, Bitwarden, Dashlane, Chrome, and LastPass all integrate with it to save and authenticate with passkeys.
This was discussed some months back on the old forum, but it appears that thread didn't make the transition to the new forum.
Can anyone from 1Password provide a well-reasoned justification for not using the system APIs provided and giving a worse user-experience as a result?
