How does an app know that the passkey is saved in 1Password?

Question

Hi,

I just added the Amazon passkey via their app (to check if it works with the app since there were issues with that (re: PayPal) previously to iOS 17.2 and noticed that it (the Amazon App) labeled the saved Passkey automatically as „1Password“.

Now I’m curious how it knows that I saved it there. Either it’s in the Passkey (WebAuthn) specification or Apple requires to make this info visible to the apps. Looking forward to the enlightening answer from 1P folks as you‘re usually pretty good in breaking down the technical complexities without oversimplifying things into inaccuracies.
I’m also curious if that allows apps to have more info about the item or even vault (I don’t think so, but it would be nice to have it written out) and 
if the app could deny certain provider based on their Denylist.

1Password Version: Not Provided
Extension Version: Not Provided
OS Version: Not Provided
Browser: Not Provided

1p_dave · Answer

Hello Damnatus! 👋

Thank you for the question! Passkeys contain an Authenticator Attestation Global Unique Identifier (AAGUID) which declares that a passkey was created using a certain provider. Services can use the AAGUID to label the passkeys that you create (for example, by labeling them as "1Password") in order to improve the user experience with that service.

Apps don't have access to any information that you've saved in 1Password, nor do they have access to any information about the vault that you've saved the item in.

I believe that some services already use the AAGUID to specify what kind of providers can be used with their service. For example, both Microsoft Entra and Okta allow you to add approved authenticators by AAGUID.

I hope that helps! 🙂

-Dave

1p_dave · Answer

Thank you for the kind words, I'm happy to help. 🙂

-Dave

1p_dave · Answer

gussic

Thanks for the ping. That looks correct, 1Password's AAGUID is the following:

bada5566-a7aa-401f-bd96-45619a55120d

Let me know if there's anything else that I can help you with. 🙂

-Dave

damnatus · Answer

Yes, this helps! It is a prime example for the high quality support at 1Password and of your skill specifically in writing an answer that is succinct but comprehensive and with the keyword(s) to give an entry point for further research if wanted.

Thank you 1P_Dave!

gussic · Answer

Hey 1P_Dave

Sorry, possibly a bit of a cross post but do you know what 1Password's AAGUID is? Or where we'd find it 
I understand from the post https://1password.community/discussion/comment/705983#Comment_705983 that we need to specifically allow 1Password's AAGUID in the Microsoft Entra Admin Centre for Passkeys to be enrolled (when support starts rolling out from mid-March 2024).

EDIT:

Sorry, as is always the way, you find the information you think you are looking for, right after you post!

1P_Dave can you please confirm 1Password's AAGUID is:

bada5566-a7aa-401f-bd96-45619a55120d

I sourced it from https://github.com/passkeydeveloper/passkey-authenticator-aaguids/blob/main/aaguid.json, hopefully it's still accurate/current.

Cheers

Forum Discussion

How does an app know that the passkey is saved in 1Password?

5 Replies

Featured discussions

October at 1Password: Defining new standards, empowering communities, and securing the future

Recent discussions

Manually add a masked email to a password entry.

Logging in

Passwords priority to fill

Is there a way to add an entry with a password, but no username?

How can 1Password app show all my accounts on my new Mac?