Forum Discussion

New Contributor

3 years ago

1Password seems to hijack webauthn rather than use CTAP for communication

I might have misunderstood something about the passkey promises 1password made here. But it seems that the browser plugin hijacks all webauthn-calls rather than to emulate a proper CTAP authenticator...

browser extension

flindeberg

New Contributor

3 years ago

Exactly! :-)

I guess someone somewhere took a design decision to side-step CTAP, perhaps since registering a USB-HID-device is problematic for a browser-extension?

My point here is that a core mechanism, but not required mechanism of passkeys according to the spec, is CDA, which normally relies on CTAP(2). I would have wanted to be able to use 1password-passkeys in a CTAP-process as a CTAP authenticator to, for example, a CTAP client in a browser on a different device.

Hopefully using the 1password-binary as CTAP authenticator is on the roadmap (in combination with using the browsers built-in CTAP client)? And a setting to disable the webauthn/FIDO-hook to cater to the scenario where you might have 1password installed but for some reason do not want to use passkeys from 1password?

Do view this as a feature request :-)

Forum Discussion

1Password seems to hijack webauthn rather than use CTAP for communication

Featured discussions

November at 1Password: the Access-Trust gap, planning your estate, and an updated unlock experience

Recent discussions

[BUG] Beta and Nightly extension degrade page's original functionallity

Ongoing Autofill Issues on Android

Items moved between vaults leave a copy in Recently Deleted

Software Licenses item icon intermittently blank/grey when new/editing

1Password for Android cannot become the default Passkeys Manager and other issues