Online bank platform disabled password manager autofill

Hi everyone,

I'm a client of the Spanish bank Openbank (https://www.openbank.es/). A few weeks ago, 1Password autofill stopped working for the PIN number field on their Client Access. When reaching them for a solution, they claimed it could be a change in your end. However, I realized by creating a new login, that the PIN number field was always replaced by the value "disable-pwd-mgr-1". Also that there were other hidden fields with numbers 2 and 3.

Inspecting the page, I discovered they're probably using the implementation suggested here in order to avoid password manager functionalities. It might be because of security concerns, or maybe because they released their own password manager later last year (just my guess).

Is there any way to circumvent this limitation from the platform and keep using 1Password on this website?

Thanks and regards.


1Password Version: 7.2.4
Extension Version: 4.7.3.90
OS Version: macOS 10.13.6 / 10.14.2
Sync Type: 1Password.com

Comments

  • Greetings @visualmethod,

    I haven't found a way to force 1Password to fill the PIN field yet I'm afraid but I will file a report. It's an odd field, they've made it look like four individual fields but when looking at the HTML it's a single input field. It is set to autocomplete="off" and readonly but even removing those I still can't get 1Password to fill the field. It looks like any chance of success will require modifying 1Password's behaviour if we can get it to fill at all. I apologise that it isn't better news or that I could at least offer a reasonable workaround for you right now. About the only positive slant I can put on it is at least it's only a 4 digit PIN you need to enter via their virtual keypad.

    ref: xplatform/filling-issues#341

  • Thanks @littlebobbytables for your response (and for moving the topic to the correct forum, my apologies)

    Definitely not the answer I'd like to read tbh 😅 but I understand the issue. I contacted recently with my bank's Technical Support department and they claimed that nothing on their side is blocking third party password managers.

    The multiple input fields and disable-pwd-mgr values returned are, according to them, a measure to avoid Chrome or any other browser from asking to save the password, as their keychains are considered not secure. Oddly enough, all the browsers I use have this feature disabled following your recommendations, but the issue still remains. It's possible that a side effect of that measure is affecting some password managers like 1P.

    I hope there's a way to address this issue because, even if it's a 4-digit PIN, it's been working until recently and I'm afraid it could become a common behaviour in banking platforms if they want to push their own password managements.

    Best regards.

  • Greetings @visualmethod,

    We'll have to see :smile: Regardless of any success we may have though the one thing you can probably rely on is for financial institutes to discover new ways to try and hamper the user. I understand the need for security but it's almost a guarantee that if you find some head scratching approach to a password that there will be a bank behind it. If security is the goal, why are they limiting you to a 4 digit PIN, how can allowing a user to choose something far more complex ever be a bad thing? I'm not sure I'll ever really understand.

    All the banks here in the UK that I have experience with do their own odd things and this isn't the first time I've heard of online banking being "secured" by a 4 digit PIN either. Either it's all insane or I'm missing something.

Leave a Comment

BoldItalicStrikethroughOrdered listUnordered list
Emoji
Image
Align leftAlign centerAlign rightToggle HTML viewToggle full pageToggle lights
Drop image/file