Skip to main content
May 30, 2026
Question

Browser extension WebAuthn PRF extension not spec-compliant

  • May 30, 2026
  • 3 replies
  • 119 views

Hi there,

Noticed that the 1Password browser extension returns a non-spec-compliant response type when trying to create a credential with the WebAuthn PRF extension.

I came across this while building a project using https://github.com/FiloSottile/typage#encrypt-and-decrypt-a-file-with-a-passkey.

According to https://w3c.github.io/webauthn/#dictdef-authenticationextensionsprfvalues, the `results` should be of type https://webidl.spec.whatwg.org/#BufferSource which is an `ArrayBuffer` or an `ArrayBufferView`. In poking around in my browser, it seems the 1Password implementation returns a plain `Array`.

I've got a fix ready for that specific library (I've contacted the author to see if they'd accept a PR) but figured I'd mention it to you folks as well just in case.

3 replies

June 5, 2026

We've noticed that 1Password changed the return value for the primary refresh token, when calling `navigator.credentials.get()`. From what used to be ArrayBufferView (we think) is now a plain Array.

This is currently also inconsistent across platforms. Current Safari still works, while Chrome and Firefox extensions are broken.

1P_Dave
1Password Employee
June 5, 2026

Hello @sisk and @klw! 👋

Thank you both for reporting this! It looks like we've received other reports as well and a bug report has been opened with our development team to look into this further. So that I can flag this further internally, are you able to share the following: 

  • The version of 1Password in the browser where you first noticed the issue.
  • A link to a website using an implementation of the PRF extension for passkeys where this issue breaks passkey functionality with 1Password. 


I look forward to hearing from you. 

-Dave

Issue=FS-5593

siskAuthor
June 5, 2026

@1P_Dave hiya! I made a little test case for ya. https://jasisk.github.io/1p-prf-testcase/

Just click the two buttons in order. It'll spit out whether the prf output from the generated credential is spec-compliant or not (and then some extra metadata because why not).

The browser-native implementation shows ✅ while the 1Password credential shows 🚫. This is reliable across Firefox 151.0.3, Chrome 149.0.7827.54, and Safari 26.5.

I'm current on extension version `8.12.22`. I must have been on `8.12.21` when I noticed a week ago but I'd guess this has been around since support for the prf extension was added (2024?). Such a minor thing that I could definitely see it going entirely unnoticed.

June 8, 2026

I agree to the timeline. Although PRF extension was working for us until about 1-2 weeks ago (with ArrayBufferView return value) it broke then return just the Array. The test site @sisk provides looks like it should be enough to fix this.

If you need more, let me know.

siskAuthor
June 8, 2026

Thanks for the confirm! To be clear, my timing guess was based on _zero_ evidence. Purely a gut take based on the specificity of it and what I thought were low odds that I happened to stumble upon it right when it was introduced 😄.

In hindsight, I've been working on this thing for a few weeks now. My primary test case is a hardware token so I convinced myself I must have only been testing against that prior to finding this but I probably DID try and succeed with 1P.

June 8, 2026

@sisk We also test for hardware tokens. Yubiekey 5 works well for us. Do you have any recommendations for other hardware or software you tested successfully?

We are maintaining this list of compatible passkeys for our appointment booking software: https://open-reception.org/getting-started/#passkeys

Always looking for more working solutions.