Discoverability of one-time password functionality
This isn't really a Mac thing per se, but there's not really a better place to post this.
I think you guys need to consider ways you could increase the visibility of the OTP functionality in 1P to make it more discoverable. It's completely awesome, but in my experience, people typically don't know about it unless they actually sit down and read through the documentation and/or follow 1P (blog, forums, etc.). The problem is, compared to the overall group of 1P users, both of those subsets are vanishingly small. As a result, people have no idea that 1P can elegantly handle those codes for them, so they end up using the comparatively horrific Google Authenticator or some other solution, or even avoiding 2SA because they view it as too much of a hassle.
I have two family accounts and I am the admin for my company's team account. Across the board for all these groups, which probably means about 75 people (not a huge number, but big enough to be significant for this purpose), not one single person has started using 1P's OTP functionality on their own. At my company, we show it to people when they're hired as part of their orientation, and we share the docs URL with them, and we walk them through setting up Slack's 2SA with 1P. And still, there are <5 people who've ever set up another one. They do it that one time, think it's really cool, forget how they set it up, don't bother reading the docs or asking, and never touch it again. Instead, they typically turn to Authenticator, or worse, install another password manager alongside 1P. But they're still using 1P for basic username and passwords. This tells me there's a usability or discoverability gap that they're not getting across.
I think part of the problem is that you have to use the custom field functionality to use the OTP functionality. Most people don't even grok custom fields, so they don't get so far as to see the OTP type in the list. Maybe you could address this side of the problem by adding a default OTP field, right alongside username and password. Then, users will be reminded it's in there every time they'e editing. You might even have it show something like a "set up one-time password with this site" link right next to it when you know the site supports it but they don't have it configured.
Another part of the problem is that almost no sites mention 1P in their 2SA setup processes. Most often, they point people to Google Authenticator, sometimes other apps, but almost never 1P. I think I've seen 1P mentioned maybe two or three times among the hundreds I've set up. Not sure how to address this - maybe reach out to sites and get as many of them to offer up 1P as you can? This is particularly problematic with less tech-savvy users because many sites phrase their recommendation in a way that makes it sound like nothing other than the given apps would work (think, "Use Google Authenticator to provide an extra layer of security"). Along with reaching out to sites directly for inclusion, maybe it'd make sense to push for some pseudo-standardized language that all sites can use that would make things clearer. This could certainly be pushed as having a security benefit, too, because I'm sure more people will opt into S2V when the perceived lock-in goes down.
1Password Version: Not Provided
Extension Version: Not Provided
OS Version: Not Provided
Sync Type: Not Provided
Comments
-
Hi @BobW!
Thank you very much for taking time out of your day to to share this feedback! We appreciate every idea that could make 1Password even better.
I think part of the problem is that you have to use the custom field functionality to use the OTP functionality. Most people don't even grok custom fields, so they don't get so far as to see the OTP type in the list. Maybe you could address this side of the problem by adding a default OTP field, right alongside username and password. Then, users will be reminded it's in there every time they'e editing. You might even have it show something like a "set up one-time password with this site" link right next to it when you know the site supports it but they don't have it configured.
We have something similar already: if you add an item that supports 2FA, 1Password will show you a reminder that you can enable 2FA for this website. In the reminder, you see both a link to the instructions, and a button to enable the QR code scanner:
Would this help?
0
