Support passkeys

Vlad

A user on Discord confirmed passkeys work in last RC.

https://discord.com/channels/802933355603034132/802933355603034135/1161769510458626098

We'd appreciate to understand what is missing.

segfault

I have the 1Password Chrome extension installed in the latest Orion RC as of this writing (Version 0.99.125.6-rc (WebKit 618.1.1)).

I have an existing passkey for my GitHub account saved in 1Password. If I pick the "authenticate with passkey" option, I expect the 1Password extension to present its associated "authenticate with known passkey" UI and proceed with passkey login, but this dialog appears instead:

jmanes

If I attempt to use the passkey option I get an immediate failure.

jmanes

Vlad

We will attempt to ship this with 127

Nezteb

According to a person at 1Password, the latest Orion update (Orion 0.99.126.4 - Dec 11, 2023) has fixed 1Password's ability to use passkeys.

Granted, I don't know if this counts as "Orion supports passkeys in general" or if it currently only supports using passkeys via 1Password.

segfault

Nezteb

Just tested with Orion 0.99.126.4-rc/macOS Sonoma 14.2 (23C64) and it gets farther than before, but still isn't working for me.

A Passkey-enabled site is now correctly triggering 1Password's "Sign In With Passkey" prompt, but attempting to proceed through it results in this error instead of successfully authenticating:

Dustin

I have set up passkeys in Bitwarden so I can compare Safari and Orion's behaviour with that.

With Safari, it prompts you to sign in with the passkey:

With Orion, it does not:

Vlad

This thread is for native support for passkeys with Orion's keychain. The last few posts are about extension support and should belong in separate threads.

Dustin

Vlad Apologies Vlad!

sjerred

For anyone that's been waiting on this: it looks like Orion properly supports passkeys, at least with 1Password.

AntonMarchukov

sjerred which version? 0.99.126.4.1-beta does look to support only hardware-backed passkeys such as Yubikeys etc. But, there is still no way to either use iCloud passkeys and/or some Orion's own synced passkeys.

I have just found that Firefox now is able to access iCloud passkeys bz #1792433 on macOS. As per that bug discussion they are likely using this entitlement. This does open standard macOS dialog (the same one as in Safari) that allows to choose either iCloud or hardware-backed passkey.

eirk

Orion currently supports passkeys, but it seems to be using its own implementation.
I hope this explanation would clear up some issues and allow a proper implementation of passkeys

safari

safari saves the passkey to iCloud Keychain, which is synced on all devices, authenticated via touch id.

but, it also provides an option ot using a nearby device (iphone, ipad, or android device) to use a camera to create the passkey

or, using an external security key.

then, when authenticating, it defaults to touch id, bu also provides other choices.

firefox

exact same UX and UI as Safari. this is what orion should have implemented.

chrome

chrome saves the passkey to exact same iCloud Keychain that Safari uses (you can see that fdsa1 which was created on Safari is suggested for autofill), which is synced on all devices, authenticated via touch id.

but, it also provides an option ot using a nearby device (iphone, ipad, or android device) to use a camera to create the passkey, or an external security key

the option "using your chrome profile" creates a local-only passkey. this is what orion is doing currently. the flow for this also looks like what orion currently offers, using the same touch-id popup that orion has

chrome likely has a slightly different flow than safari/firefox bc of its "using your chrome profile" option that safari and ff don't support (and isn't necessary)

orion

orion, on the other hand, only allows for touch id and security key, providing a very different popup.

it also uses a different touch id verification popup

also, when authenticating, it uses a different touch id popup, and doesnt offer other choices for authentication

choccymalk

eirk This really baffles me. For one this is preventing using passkeys in the icloud keychain to sign in through Orion.

It really seems like Orion should use the native API rather than their own implementation. In firefox right now I can go to github, click sign in with passkey, and it uses my device passkey and signs me in immediately. I can't do that in Orion.

simplyhate

Im pretty sure passkeys are different. whenever i try and use passkeys signing into things like amazon using passkeys doesn't work and errors out without giving more information.

pn4fcwbjbb

Steps to reproduce:

Select 3rd Party Provider for Password in settings.
Ensure you have the latest plugin supporting Passkeys
** 1Password 2.16.0 - https://chrome.google.com/webstore/detail/1password-beta-–-password/khgocmkkpikpnmmkgmdnfckapcdkgfaf
Use https://passkeys.io to test.
Create an account, fake e-mail is fine.
Signup process will prompt to create a passkey.

Expected behavior:
The 3rd Party Provider handles request to create and save passkey. In my case, 1Password should pop up asking to create/update a login with passkey.

Orion, OS version; hardware type:
0.99.125 & 0.99.125.3-rc, macOS 13.6, M2

Note: this works on iOS 17 with 1Password 8.10.6 (app store release) and Orion 1.3.4 (1) which is what led me to test on macOS

aaronk6

Can this be implemented in a generic way, so it works with any 3rd-party password manager? I could use this for Strongbox (which works fine in Safari, see screenshot below). 🙂

Haarolean

Currerntly, extensions like bitwarden support storing passkeys. However, not in Orion.
While using Orion, I see in google account settings "A passkey can’t be created on this device", however this works in Chrome and when clicked "add a passkey" bitwarden popup opens.

I have a self-hosted instance of Bitwarden and happy to provide a test account for dev purposes if needed.

A note: this is no a duplicate of #3025, #3025 is more about storing the passkeys in ios keychain (and/or on TPM like Safari does), but my issue is about supporting API for extensions to do that.

expected the pop-up to appear 🙂

0.99.126

Monterey (12)

Vlad

Haarolean Steps to reproduce would be great.

« Previous Page Next Page »