Passkey algorithm support

Moderator

3 months ago

Thanks for the question! I want to start by clarifying that ES256 has not been deprecated for passkey use due to weaknesses. The WebAuthn spec continues to include ES256 (alg: -7) as a valid option in pubKeyCredParams:

The following COSEAlgorithmIdentifier values are NOT RECOMMENDED in pubKeyCredParams: -9 (ESP256); use -7 (ES256) instead or in addition.

The ‘deprecated’ label in the IANA registry refers only to the numeric identifier, not the reliability or security of the algorithm, which remains strong and is widely supported by both websites and authenticator apps. Crucially, if you'd like your passkey implementation to also work with security keys shipped before 2025 or with Windows 10, not just authenticator apps like 1Password, you'll need to include support for ES256 (-7). New identifiers for algorithms like ESP256 (-9) are being proposed here:: draft-ietf-jose-fully-specified-algorithms

At the moment, 1Password supports ES256 for passkey use. I'll forward your request that other algorithms be supported to our team so that they can look into this for the future.

-Dave

#39581

Forum Discussion

Featured discussions

September at 1Password: Browser versions, enhanced security, and new integrations

Recent discussions

Severe slowdown in Chrome with 1Password extension 8.11.12.27 on pages with many inputs

ssh agent and ansible 12 prompting incessantly

Feature Request: Android and SSH

Statically link ARM64 for use on Alpine phone

Fingerprint sensor support on remote systems?