Passkey Beta issues

INFO 2025-07-08T01:09:45.308+00:00 runtime-worker(ThreadId(18)) [1P:op-webauthn-authentication\src\models\sign_in_request_interpreter.rs:75] Found existing device key from disk or backup INFO 2025-07-08T01:09:45.308+00:00 runtime-worker(ThreadId(18)) [1P:op-webauthn-authentication\src\handlers\sign_in.rs:173] webauthn sign in -- Querying auth methods in an attempt to locate a passkey public key credential and challenge INFO 2025-07-08T01:09:45.475+00:00 runtime-worker(ThreadId(15)) [1P:op-webauthn-authentication\src\handlers\sign_in.rs:206] webauthn sign in -- Attempting to sign a challenge to authenticate a passkey INFO 2025-07-08T01:09:52.813+00:00 runtime-worker(ThreadId(15)) [1P:op-webauthn-authentication\src\handlers\sign_in.rs:216] webauthn sign in -- Authenticator assertion succeeded. Now verifying the authenticator's response with B5. INFO 2025-07-08T01:09:52.867+00:00 runtime-worker(ThreadId(15)) [1P:op-webauthn-authentication\src\handlers\sign_in.rs:248] webauthn sign in -- Assertion has been verified. Responding with an appropriate view model. INFO 2025-07-08T01:09:52.868+00:00 runtime-worker(ThreadId(15)) [1P:op-webauthn-authentication\src\models\authentication_coordinator.rs:186] Attempting unlock ERROR 2025-07-08T01:09:52.868+00:00 runtime-worker(ThreadId(15)) [1P:app\op-app\src\app\backend\webauthn_authentication.rs:201] General(WebAuthn unlock failed: AccountAlreadyUnlocked) ERROR 2025-07-08T01:09:52.869+00:00 runtime-worker(ThreadId(15)) [1P:op-webauthn-authentication\src\handlers\sign_in.rs:56] webauthn sign in -- General(WebAuthn unlock failed: AccountAlreadyUnlocked) INFO 2025-07-08T01:10:00.322+00:00 runtime-worker(ThreadId(18)) [1P:ssh\op-ssh-agent\src\lib.rs:639] Session was not authorized

9 Replies

1P_Phil
Moderator
18 days ago
Hi khowe085 ,

Sorry for the delayed response on this one. I'll look into this and try to get you some help. Hang in there and thanks for your patience.

Phil
- khowe085
  New Contributor
  11 days ago
  Hello Phil,
  
  Any updates on this issue?
khowe085
New Contributor
27 days ago
*Crickets*

Our allmighty AI overlords seem to think that this isn't supported. Can anyone from 1Password confirm?

1Password’s GUI unlock flow uses the browser‐style WebAuthn API (navigator.credentials.get) under Win32, which RDP WebAuthn passthrough does redirect back to your host’s CTAP stack and Windows Hello PIN/biometric.
1Password’s SSH‐agent feature, however, doesn’t use WebAuthn—it uses direct CTAP calls via Windows CNG/WinSCard on behalf of ssh.exe. RDP’s WebAuthn passthrough channel only covers the browser/WAM-style flows, not arbitrary CTAP provider calls from Win32 apps. Those fall back to the VM’s “local” USB/BLE/NFC providers—which of course don’t see your YubiKey—so you get errors like 0x52E, 0x80090035 or 0x8010002E in the host Event Log.

khowe085

New Contributor

29 days ago

My Current situation:

I am using a VM which is a clone of the host machine it is running on. I'm signed in with a Microsoft account on both machines. "Only allow Windows Hello Sign-in for Microsoft Accounts on this device" is turned on for both machines. I am using MSTSC to remote desktop into the virtual machine, and it is forwarding WebAuthn requests to the host. Due to this, Windows Hello is not shown in the Windows settings app and the option in 1Password to use it is disabled. I was hoping to use Passkey sign-in on the VM to make signing / push commits a little bit easier since I have a 44 character Master password on my main Family account.

Passkey for my Test account stored in

Main 1Password family account
Yubikey 5c
Windows 11 24H2 Host Machine

Signed into 1Password Test Account

Windows 11 24H2 Host machine (Native App)
Windows 11 24H2 Host machine Web Admin(Firefox)
Windows 11 24H2 Virtual machine (Native App)
Windows 11 24H2 Virtual machine Web Admin (Firefox)

I am signed out of my family account on my host and Virtual machines. I can lock / unlock my 1Password test account on both the host and VM using the Passkey I have stored on my host machine and the one on the yubikey. I can auto fill passwords on both host and VM using the browser extension.

On my host machine, I can use my SSH key to check out, sign, and push commits to my local gitea instance. When I try to do the same thing on my VM I am prompted to authorize with my Passkey, go through the entire flow, and then says "Unable to sign in. Try again or contact support".

I am seeing some errors in my host event viewer related to an attempt to clone a repo over SSH using the SSH key in my Test account vault

under WebAuthN

WebAuthN Ctap SendCommand completed.
TransactionId: {REDACTED}
Error: 0x8007052E. The user name or password is incorrect.



Ctap GetAssertion completed.
TransactionId: {REDACTED}
Error: 0x52E. The user name or password is incorrect.



Ctap Ble Function: CtapBleProcessCtapCommandRequestCallback Location:
Error: 0x80090035. The device that is required by this cryptographic provider is not found on this platform.



Ctap Ble provider thread completed.
TransactionId: {REDACTED}
Error: 0x80090035. The device that is required by this cryptographic provider is not found on this platform.



Ctap Ble Function: _ProcessCtapBleMultipleDeviceRequest Location:
Error: 0x80090035. The device that is required by this cryptographic provider is not found on this platform.



Ctap Usb provider thread completed.
TransactionId: {REDACTED}
Error: 0x52E. The user name or password is incorrect.



Ctap Nfc provider thread completed.
TransactionId: {REDACTED}
Error: 0x8010002E. Cannot find a smart card reader.



Ctap Function: CtapSrvRpcServerSubscribeForNotifications Location: InProc
Error: 0x32. The request is not supported.



WebAuthN Ngc GetAssertion completed.
TransactionId: {REDACTED}
Error: 0x8009001B. Provider type does not match registered value.

And then some Errors under Crypto-NCrypt

Cryptographic Operation failed.

 Cryptographic Parameters:
     OperationType:    SIGN HASH
     Provider Name:    Microsoft Passport Key Storage Provider
     Key Name:    S-1-5-21-REDDACTED/REDACTED/FIDO_AUTHENTICATOR//REDACTED
     Key Type:    
     Algorithm Name:    

Failure Information:
     Return Code:    0x8009001B



Cryptographic Operation failed.

 Cryptographic Parameters:
     OperationType:    16
     Provider Name:    Microsoft Passport Key Storage Provider
     Key Name:    S-1-5-21-REDACTED/REDACTED/login.live.com//REDACTED
     Key Type:    
     Algorithm Name:    
 
Failure Information:
     Return Code:    0x80090011



Cryptographic Operation failed.

 Cryptographic Parameters:
     OperationType:    16
     Provider Name:    Microsoft Passport Key Storage Provider
     Key Name:    S-1-5-21-REDACTED/REDACTED/FIDO_AUTHENTICATOR//REDACTED
     Key Type:    
     Algorithm Name:    
 
Failure Information:
     Return Code:    0x80090011

khowe085
New Contributor
29 days ago
On the VM I uninstalled 1Password, and then deleted the 1Password folders in AppData and AppDataRoaming. After reinstalling I was able to login to that instance of 1Password as well.

I'm still stuck on not being able to use my SSH keys on the VM
- 1P_Phil
  Moderator
  18 days ago
  Hi khowe085 ,
  
  Thanks for your patience here. As Passage is still in beta, you have found a bug and it has been reported to the team. In the mean time, the team suggests you use a password-based process for now until the team can look into and find the root cause.
  
  Thanks again! Phil
khowe085
New Contributor
29 days ago
I was able to sign into the web admin console using the passkey on my yubikey and 'Setup another device' to get my host machine logged back in. Was this because I was already logged into the website with that. I tried logging into the web admin console from a private window, and I needed to get a code again like I was setting up a new device.

Pretty sure I'd have to use my recovery code if I didn't have access to another device signed into 1Password. This may actually be a deal breaker for me to use this feature I was really excited about...
khowe085
New Contributor
29 days ago
I tried deleting a 1Password entry from the Windows credential manager on the virtual machine, with the assumption that maybe it was from my Family account. 1Password wanted me to sign in again, it accepted my Passkey and then 1Password on my host machine prompted me to transfer the key. It gave me a code which I copy / pasted into 1Password on the VM... which then failed. I tried multiple times with the same result.

I then tried to sign out of my 1Password on my host machine... and then when I went to sign in again... it asked for the code that was being displayed on another device... except there was no other device logged into the account.

I have the Passkey on my Yubikey... why does it need another device to login? If all devices get logged out, am I forced to use the recovery key?

I don't see how Passkey can feasibly work if I need another device that is logged into 1Password. What happens if I have a fire and the only thing I have to login to 1Password with is the Yubikey I keep in a safety deposit box?
khowe085
New Contributor
29 days ago
I'll also note that the initial request to authenticate comes from 1Password on the VM. When I click 'Authorize with Passkey', Windows on the host machine prompts me to sign in with my passkey, select the yubikey, enter they yubikey PIN, and touch the key.

In the VM I signed into the web admin console and created a passkey for the VM. The key was created successfully and got saved to the host machine. I repeated this a second time saving another key to the Yubikey. Both of the new Keys were unsuccessful when I tried to use them to check out the git repo.

Forum Discussion

9 Replies

Recent Discussions

1Password Firefox extension used to work fine, now does nothing

Edits and new items are not showing up on other devices

I'd like to persistently sort my Favorites by Title, but my Logins by Date Modified

Slow Response on 1Password M4 Mac

I can't save passkey to 1p on cathaypacific.com