Recommended way to handle multiple ID formats for same login?

My company uses Office 365 logins for a number of things, including our VPN and SSO to certain services. For some services I need to use my full email address as my login, but for other services I need to omit the domain, so I've found my choices are either to have near-duplicate entries in 1Password (and ignore the warnings that I've reused the password), or to have only one entry and manually delete the domain from the ID field for the services that require I not use it. I'm hoping that there is - or could be! - a better way. This is probably better explained with a few examples:

Let's say our domain is foo.com and my Office 365 ID is [email protected]. To login to our VPN I use [email protected] with my password. I also have a Google Auth-type one-time password stored in 1Password. So far, life is good.

But we also use a self-hosted instance of the application bar.com. Normally people would login at bar.com with their full login (e.g. [email protected]) but because we host our own instance, I need to login at foo.bar.com with only the username joel, as @ foo.com is assumed. But despite the two different usernames, my VPN and this service are authenticating [email protected] at Office 365. Further complicating the matter, foo.bar.com also supports OTP but it's implemented in that service, so it's a different OTP. As a result, here's what this login looks like in 1Password (domain name of main username field, websites, and name of secondary service redacted. Enjoy the expired OTPs though!)

What I guess I'm hoping for is either a way to link multiple logins to the same password (in a way that recognizes this is safe, and not me being dumb and sharing passwords), or a way to specify within a single login that the username field might take multiple formats - with or without domain name. The latter approach would still require me to deal with OTP manually though, as I do today.

So if this already exists, any education on how to do it would be greatly appreciated. If not, I assume I'm not the only one dealing with SSO-related username issues like this, so please take this as a feature request. If I haven't explained the issue clearly above, my apologies, and please feel free to request clarification.

Thanks!

-joel


1Password Version: 7.3.2
Extension Version: 4.7.5.90
OS Version: macOS 10.14.6
Sync Type: iCloud

Comments

  • Hi Joel! I'll say upfront that there's not a super elegant solution to this currently, so your request is something for our developers to think about.

    That said, some possibilities for handling this are using custom fields to add the various versions of your username and adding each website as a secondary, tertiary, and so on website all in the same item (since one item can have multiple websites listed). Of course, you won't be able to strictly use autofill in this case—you'll need to copy and paste from 1Password mini or use drag and drop. It looks like you're doing this right now as best you can. The other option, as you described, is to indeed just use separate logins in 1Password. That makes autofill a breeze, but of course then there's the reused password warning.

    I realize that's not the most enlightening — most of it is just repeating your options back to you, since you're a wise 1Password user and have already thought through the possibilities. :smile: Ultimately you'll have to roll with whichever option works best for you for now, and we'll see what we can do in the future. I personally would like to see some more customizability around Watchtower warnings (e.g., I have a Wi-Fi password for my folks that I can't get them to change, but it's a vulnerable password, and it pains me to see that warning in 1Password), but of course we have to make sure we find the right solution. The goal, after all, is keeping people safe, and we wouldn't want people to not know they are reusing passwords, in those cases where they actually are (unlike your SSO situation).

  • Thanks for the response. Yeah, I know you'd want to be careful in handling this situation such that you don't solve this for the minority of users who face it but in so doing make things more complicated or less secure for the majority of users who don't. Ideally your crack team can find a perfect solution for this situation, but being able to turn off the Watchtower warning ("Are you sure? Really? You're not just being dumb?") would be a big step forward, as I use this login far more than all other ones combined, and I don't want to be unfairly password-shamed all day long! Between insecure but unchangeable passwords and the various SSO systems out there there is definitely more of a gray area around password "reuse" than 1Password currently supports.

Leave a Comment

BoldItalicStrikethroughOrdered listUnordered list
Emoji
Image
Align leftAlign centerAlign rightToggle HTML viewToggle full pageToggle lights
Drop image/file