Getting started with 1Password for your growing team, or refining your setup? Our Secured Success quickstart guide is for you.
Forum Discussion
Passkey authentication doesn't abort on signal
The Webauthn Spec specifies that a credential registration operation https://www.w3.org/TR/webauthn-2/#sctn-sample-aborting. Native authentication prompts honor cancellation through an AbortSignal passed into navigator.credentials.create, the 1PW extension does not and stay opens even after abort has been called on the AbortController
I created a https://codesandbox.io/p/sandbox/ktptym to demonstrate the issue. Click "Register credential". A native auth prompt will close after 5s, the 1PW overlay will not. Note that for the native authentication prompt to work, the preview needs to be opened in its own tab, as the way code sandbox iframes the preview doesn't allow for credential creation.
This issue becomes a nuisance when the server uses expiring challenges, the user sits on the 1PW passkey creation prompt for a while, the challenge expires in the meanwhile, the user then confirms, and ends up with a dysfunctional local passkey.
1Password Version: 8.10.48
Extension Version: 8.10.48.25, 8.10.50.20
OS Version: macOS
Browser: Chrome, Brave
4 Replies
1P_Dave​ I’m encountering the same issue when building a sign-in page that transitions from a conditionally mediated passkey sign-in (used before the username is known, see https://web.dev/articles/passkey-form-autofill#call_webauthn_api_with_the_conditional_flag_to_authenticate_the_user) to a scoped passkey sign-in (restricted to a specific user after the username is entered).
The conditional mediation approach relies on proper AbortController support, as outlined in the WebAuthn docs. In a single-page app, there’s no way to dismiss the unscoped 1Password prompt when transitioning to the scoped challenge. Since the challenge changes at that point, the entire flow breaks. If the user interacts with the lingering 1Password prompt, it fails because it’s still tied to the old, expired WebAuthn challenge.
Also, 1Password’s UI appears like a standard prompt during conditional mediation, which undermines its purpose. Conditional mediation is meant to stay passive until the user interacts with the username/autofill field.
- 1P_Dave
Moderator
I'm sorry for the delayed reply. I've shared your feedback and comments with our development team so that they can look into this further.
-Dave
- 1P_Dave
Hello! đź‘‹
I'm sorry for the late reply here. Our development team has an internal work item open to better handle how 1Password receives and supports AbortSignal and I've added your feedback there.
While I can't share an ETA on when this work will be done, this is something that the team is aware of.
-Dave
#34567
Confirmed as well. I've ran into this with autofill turned on for a SPA with client side navigation. You view the login page, autofill causes 1Password to pop up (when you already have a passkey saved for the site), you navigate away and the 1Password prompt does not dismiss itself.
