1Password X not filling some 2FA fields

This discussion was created from comments split from: 2FA autofill not working in Safari.

Comments

  • BigStefBigStef
    edited December 2019

    Actually, using with Brave browser with extension 1Passwotd X installed on Mac OS X Catalina show me that on some websites, 2FA fields a correctly filled, and on some others not. Probably depending in different attributes of the 2FA field ?
    For example :

    At Siteground, the 2FA field has :

    • name="two_factor_code"
    • type="password"
      And 2FA field is correctly filled.

    On Generic Joomla Backend access, the 2FA field has :

    • name="secretkey"
    • type="text"
      And 2FA field is not filled automatically.
  • kaitlynkaitlyn

    Team Member

    Hi @BigStef! Deep in the 1Password code lies a filling algorithm that helps it fill a variety of fields, like TOTPs. We use different clues, including the HTMLname and HTMLid, so that explains why a field with a name of two_factor_code fills and a field with the name of secretkey doesn't. It's always helpful to report filling issues to us that way we can improve the filling algorithm and make it even more universal than it already is, so I appreciate you bringing this to our attention. You mentioned the Joomla, but I'm curious what the website URL you're using to sign in is. I'd like to test it out on my end and make sure the issue gets reported to our developers. If it's not a public URL, just let me know and we'll go another route.

  • BigStefBigStef
    edited January 4

    Hi Kaitlyn, Great! Thanks for considering this :)
    Actually I can not giving you any URL as all of websites I manage have a secret word in URL for security.
    But if you need, i can install a test for a while with a URL I can send you ?

    EDIT :
    OK - Finally I have just installed a joomla backend access specially for 1p team :chuffed:
    So if you need an account for an access to the background, just ask. Here's the URL if you just need an access to the login window.

    For your information this a fresh Joomla Instal with no hack.
    The instal package has been directly downloaded from joomla.org and installed on this subdomain.

    Just tell me when you have finish so I can erase that subdomain

  • kaitlynkaitlyn

    Team Member

    @BigStef – I really appreciate you going through the trouble to create a test case just for us! I see exactly what you're saying now. I actually think part of the trouble is that the TOTP (or secret key) field is on the same page as the rest of the sign in form. Generally, 1Password X will fill a Login, you'll proceed to the next page, and that's when the TOTP would be autofilled as I'm sure you've witnessed on other websites. If I remember correctly, Siteground's sign in page is along those lines rather than offering the TOTP right away like Joomla does. Either way, your best bet to get this one to fill will be clicking and dragging the TOTP from the 1Password X pop-up to the secret key field. I created a little screencast so you can see exactly what I mean.

    As a side test, I used the inspect tool to make some tiny tweaks to the secret key field's HTML. Simply changing the HTML name to "OTP" or "two_factor" or something along those lines actually caused 1Password X to fill my [fake] TOTP correctly. I'm not sure if Joomla would welcome a change like that, but it's something you could reach out to them about and suggest they alter their code even slightly. The "secret key" thing is new to me, and I wouldn't call it industry standard.

  • Hi Kaitlyn, I think you're right about the standard thing. I will open a ticket in their Github and see what happen. I will come back to make some feedback here. Thanks for your time spent here :)

  • ag_anaag_ana

    Team Member

    Sounds good! And on behalf of kaitlyn, you are welcome :)

  • BigStefBigStef
    edited January 21

    Hi 1password team. A discussion has been opened in Joomla Github (https://github.com/joomla/joomla-cms/issues/27580). Is there any list of word 1Password recognize, available (as i.e. for KeePassXC : https://github.com/keepassxreboot/keepassxc-browser/blob/9e9d7a5f28e6c1c200cd7cb7807f9f787ae336b4/keepassxc-browser/content/keepassxc-browser.js#L9-L17) ?

  • kaitlynkaitlyn

    Team Member

    @BigStef – There are honestly too many to list, but the biggest ones are: otp and totp. They can also include something like: 2fa, code, two-factor, challenge, token, mfa, and I'm sure 1Password will be able to figure it out. I'm so glad you reached out to them!

  • BigStefBigStef
    edited January 28

    Hi Kaitlyn, the discussion at Github is going on. Something will probably be done. But for now, the question is "Is there any Industry Standard?". This question is not without interest. As you mentionned it above, i would like to know if you have any source about that ? Any information ? Or is it something you have decided internally at AgileBits?

  • kaitlynkaitlyn

    Team Member
    edited January 28

    @BigStef – Honestly, that's a really good question. I'm not sure that the industry standard has necessarily been declared, so I guess it depends on what "industry standard" means to you. I was taking it as what I typically see developers do when it comes to HTML for TOTP fields. To find that out, we could visit a few websites and see what their TOTP field code looks like. What I mentioned earlier is what I generally see when testing websites on a daily basis.

    As far as documentation goes, we've got a page that explains how to best design a website to work with password managers, but that's pretty simplified. I also found some info on the autocomplete attribute in Mozilla's documentation. They mention the value "one-time-code," which would also help 1Password out. So the attribute would look like autocomplete="one-time-code" as part of the field's HTML (along with a name/label/any other necessary attributes). I hope that helps!

  • BigStefBigStef
    edited February 17

    Hi there, just to say that an official PR for "autocomplete="one-time-code"" has been finally post on Github Joomla : https://github.com/joomla/joomla-cms/pull/27967.

  • I have a feedback about that. Suggestion :

    Maybe 1Password should implement a check of the autocomplete property to go with the possible future standard?

    Sources:
    HTML - Living Standard
    Apple - Enabling Password AutoFill
    Any comments about that ?

  • kaitlynkaitlyn

    Team Member

    @BigStef – That's so awesome! Hat tip to you. 👏

    Maybe 1Password should implement a check of the autocomplete property to go with the possible future standard?

    I don't think I'm following your suggestion. 1Password X does take autocomplete into account when determining what fields should/shouldn't be filled. It's not the only thing 1Password looks at simply because the autocomplete attribute isn't always used the way it should be. It's something we mention on our page that explains how to design a website to work best with 1Password. Based on the sources you mentioned, one-time-code seems to be the standard autocomplete type for 2FA fields, which matches with what I found in Mozilla's documentation. I'm not sure what I'm commenting on, though. Could you explain your suggestion in detail so I can better understand the question?

  • BigStefBigStef
    edited February 17

    Hi Kaitlyn, thanks for answering.
    I'm feeling a bit between the hammer and the anvil. :) The PR will likely be managed by next week. Let's see what is the result. I will bring a feedback here.

  • kaitlynkaitlyn

    Team Member

    @BigStef – Sounds good! My bet is that 1Password will be able to fill the OTP just fine. Since I'm not able to access the previous test suite you created, I'm not able to check it out myself, but something you can do is add autocomplete="one-time-code" to the HTML via dev tools then attempt to fill the item in the 1Password X pop-up. If the 2FA code fills, then we're looking good. I know I previous set the label to one-time-code and that worked well, so I have faith. :)

  • Hi @kaitlyn , Just to tell you that I have made some test with the first Joomla 4.0.0 Alpha (launched this month) and 1Password is able to fill the 2FA field now. This is great. :).
    Changing the element's ID on Joomla 3.9.x serie looks like it isn't possible for 1 reason: "Some 2rd party (template or whatever) may use the id in some own css (or less) file for styling". (saying on the github PR)
    For info : the date of release for a stable version of Joomla 4 is not defined yet...

  • BenBen AWS Team

    Team Member

    That is encouraging news @BigStef. Thanks for letting us know. :)

    Ben

Leave a Comment

BoldItalicStrikethroughOrdered listUnordered list
Emoji
Image
Align leftAlign centerAlign rightToggle HTML viewToggle full pageToggle lights
Drop image/file