Forum Discussion

passkeyin's avatar
passkeyin
New Contributor
25 days ago

Passkey algorithm support

Recently I began a passkey integration and I'm using 1password to test things out.

There are a great deal of passkey algorithms that exist: https://www.iana.org/assignments/cose/cose.xhtml#algorithms

Unfortunately it seems like if I remove all the "Recommended: No" and "Recommended: Deprecated" ones, I am unable to get 1password to generate a passkey. It gives me a somewhat opaque "1password encountered a problem" in the passkey dialogue after I click Save, and it seems to fall back to the browser which prompts me for a security key.

I see this in the console log:

PortOpener: passkey-save-prompt/XXXXXX received error: "create-passkey-failed"

The algorithms I chose in order to be more secure based on the recommendations on that page and what I'm able to support in my server:

  • PS384
  • PS512
  • RS256
  • RS384
  • RS512

The "deprecated" algorithm I added to make the error go away, and allow 1password to correctly function:

  • ES256

Is there anywhere to find the full list of passkey algorithms 1password supports so I can try to come up with a good list to use on the server-side? Ideally it wouldn't contain deprecated ones.

integrations
linux
troubleshooting

1 Reply

  • 1P_Dave's avatar
    1P_Dave
    Icon for Moderator rankModerator
    21 days ago

    Hello passkeyin​! 👋

    Thanks for the question! I want to start by clarifying that ES256 has not been deprecated for passkey use due to weaknesses. The WebAuthn spec continues to include ES256 (alg: -7) as a valid option in pubKeyCredParams

    The following COSEAlgorithmIdentifier values are NOT RECOMMENDED in pubKeyCredParams: -9 (ESP256); use -7 (ES256) instead or in addition.

    The ‘deprecated’ label in the IANA registry refers only to the numeric identifier, not the reliability or security of the algorithm, which remains strong and is widely supported by both websites and authenticator apps. Crucially, if you'd like your passkey implementation to also work with security keys shipped before 2025 or with Windows 10, not just authenticator apps like 1Password, you'll need to include support for ES256 (-7). New identifiers for algorithms like ESP256 (-9) are being proposed here:: draft-ietf-jose-fully-specified-algorithms

    At the moment, 1Password supports ES256 for passkey use. I'll forward your request that other algorithms be supported to our team so that they can look into this for the future. 

    -Dave 

    #39581