AWS - AccountId populated with OTP Code

Logging in with AWS worked wonderfully for a while, but all of a sudden when I go to login, 1Password will REPLACE the account id field with the value of the current OTP code.

I've looked at the saved browser fields, and 'account' is there with the correct account id.

This only started happening recently, but is becoming increasingly frustrating.

Has anyone else encountered this problem? Is there a solution?


1Password Version: 1Password 7 Version 7.3.2 (70302004)
Extension Version: 4.7.5.90
OS Version: 10.15.3
Sync Type: Dropbox

«1345

Comments

  • ag_anaag_ana

    Team Member

    Hi @naydichev! Welcome to the forum!

    Can you please share the full URL where this is happening so we can test it here too? Thank you!

  • I'm also experiencing this, it stared about a week ago I think. Adding the account id to the browser fields doesn't help. Would love to get this resolved as soon as possible...

  • +1

    I'm experiencing this as well, and it started about a week ago.

    I've confirmed that the "Account ID" text field's id is "account":

    And I've set the desired string in a saved web form element called "account":

    Also, I'm using version 4.7.6.1 of the 1Password beta Chrome extension, in case that matters.

  • I'm having the exact same issue, which started today, but I've seen it (randomly) happen in the distant past. I can't remember what I did to relieve myself of the problem. But here's a possible piece to the puzzle:

    AWS's console login (both cross-account and otherwise) actually saves the AWS account ID (either the name/string or the 12-digit ID -- depends on which you enter) in a cookie. JS code on AWS's side auto-populates the Account ID field from that, regardless of what the "form field" entry has in 1Password.

    I strongly suspect that this model (and whatever the JS code does) confuses 1P's Chrome extension greatly when it comes to field selection. You can verify my claim about cookies by visiting https://aws.amazon.com/console/ (note the URL is not an account-ID-based URL! Those look https://foo-bar-blat.signin.aws.amazon.com/console ) and click the "Log back in" button.

    The real bug here, IMO, is why 1Password is trying to auto-populate the first field (AWS account ID) with the OTP. That behaviour makes little-to-no sense -- I can't even determine how or why the first form field is being given focus.

    I'm on OS X 10.14.16 (Mojave), using Chrome 80.0.3987.132, with 1Password extension 4.7.5.90. 1P itself is at version 7.4.3.

    I'd politely urge the 1P folks to mark this as a high-priority issue; this does impact 1Password for Business as well.

  • edited March 11

    I have checked my "web form details" match "account" as in the html source code. AWS seems to have changed something.

    I know 1Password is doing everything they can to help us all to resolve this issue. Excellent job guys! This is definitely NOT a P1 High Priority issue, as users can just copy/paste the account id or account alias from 1Password itself.

    Windows 10, Firefox and Chrome (latest)

  • It started for me today after the latest update (7.4.753). I even added a "account" label and put my fixed AWS alias in that field (tried a text field too). Did not help - it pastes the OTP into the "account" field every time and of course the login fails. It is actually easier to remove the OTP feature now and use my old method of copying the code since at least the login does not fail and the form resets. I login to AWS extensively for our own account and client accounts, so this is a big productivity hit for me.

    Checking the HTML source for the above screen shot, the three fields are "account", "username" and "password". In my 1P card, username and password are correct. I added "account" with my alias to fill. If I delete the OTP field from 1P, it properly fills all 3 fields. Once I add back the OTP, the OTP is copied into the "account" field.

  • Hate to +1 and run, but same issue here, and as other have reported, it has cropped up in the last few days.

    At least for now I know I'm not going crazy.

  • Any update from 1password Team here?

  • This happened to me as of Tuesday morning 3/10/20, worked Monday night 3/9/20. Did not do any updates to 1Password overnight.

    Source shows id="account" for the Account ID field. Our 1Password login pages had a field with id as the label when this worked. I updated this field on our 1Password login page to use account, and this fixed the problem on MacOS with Chrome and Safari, but did NOT fix this for other users who use Windows. The problem is still there even with the updated 1Password login page that now uses account as their label for the account number or alias.

  • Yepp, same here happens this morning 11/3! Got 1.18 passwordX

  • @Felipe Alvarez I agree with you that we can easily just copy/paste in the account string after filling and before hitting return, but myself, and I suspect @jchadwick and other 1Password users as well, probably feel that this should not be high-priority simply for the slight loss in convenience.

    Rather, the fact that a OTP would populate into an unmasked field like that is a potential security flaw. Technically someone who has compromised your AWS password could look over your shoulder and see that one-time password show up and then use it to gain access to your account before the code expires.

    Yes, it's an extremely unlikely situation that something like that would happen, and I also acknowledge that the MFA code is populated on the next page without being masked (but at least it's expected there and you can take measures to ensure no one can see your screen if you want), but given how rock-solid 1Password's security practices are in all other regards, and given how critical access to the AWS console is for most AWS admins, I think this should actually be a priority issue.

  • asiegmanasiegman
    edited March 11

    I've got the same issue. I use this daily, and the sign-in has worked beautifully for months. Worked March 10th. This morning, March 11th, is not working. OTP in the account-id field. OSX 10.15.3, 1Password 7.4.3. Happens in both Safari and Chrome, both from the App itself and from the respective extensions. If I can provide info, I'd be happy to.

  • +1 to the issue.
    Symptoms are the same for me.

  • +1 I'm affected too, along with my coworkers who use 1Password and AWS. Currently using 1Password Version 7.4.3 (70403002) and Firefox 73.0.1 (64-bit).

  • +1 Same for me too
    Using 1Password v7.4.4 on macOS with Firefox Extension v1.18.0

  • Started happening yesterday for me, exact same scenario in Safari 13.0.5 with 1Password 7.4.3 (70403002). Tried adding "account" as a web form field hoping it would prevent 1Password from filling the OTP in the account field, but it didn't work.

  • i am experiencing this same issue as well. I only started noticing this yesterday. Any update on a fix for this?

    I am running the following

    Chrome: 80.0.3987.132
    1Password X: 1.18.6

  • I'm having the same issue.

    Chrome: Version 80.0.3987.132 (Official Build) (64-bit)
    1Password X: 1.18.0

  • Just had it start happening to me as well.
    Initial testing shows that I can remedy it by adding in my account field info to the Section as well as the saved form details. For anyone that wants to get their logins working again.

  • Thank you @MattySaintG ! That worked

  • Cheers @MattySaintG that worked for me too! Just adding it to the web form details wasn't enough for some reason.

  • I'm having trouble following your directions @MattySaintG, or I'm having trouble getting it working for me.

    • I started editing my entry in 1Password
    • View Saved Form Details
    • Add a new field and label="Account", type="Text", value=
    • Save

    But then I still end up with the same problem when I try to auto fill. Did you do something differently? Into which section did you add your account field info?

  • Not sure what @MattySaintG was referring to when you mention saved form details versus section. Section is easy - I tried both a label named "account" and a text field name "account". Neither seemed to help. I started from a clean entry (deleted previous one), so the username, password and SAVED ON US-EAST-1.SIGNIN.AWS.AMAZON.COM section with "Account ID (12 digits) or account alias" added as a field. So, this was all done by just logging in and letting 1P create a new entry. I then added "account" as another field and put in my account alias, so both the field 1P created and my "account" field match. So, that works to login without OTP auto-fill. I then went and added my OTP field back to the entry. Still fills the OTP into the account field, so I removed it, since it dings the login and then I have to type in the account alias and password - so this is not just a simple inconvenience, it breaks the functionality of the auto-fill. I have gone back to using my OTP generator extension in FF, so I don't have to leave the browser to fill the OTP.

  • ag_anaag_ana

    Team Member
    edited April 9

    Thank you everyone for the additional information! I was able to reproduce the issue here, and I have opened an issue in our internal tracker for our developers to look at :+1:

    ref: dev/core/core#1154

  • ag_anaag_ana

    Team Member

    Hi Everyone! A quick update: for those of you using 1Password X, please make sure you update to 1Password X 1.18.1, which has a fix for the AWS website :)

  • Sorry for stupid question but is there any delay for Chrome extensions ? I´m trying to force an update but I still have 1.18.0, do I click to release notes I can see that there is a 1.18.1 version ? This might be a Chrome question but anywat :) Thanks for fast reply and fix, great work!

  • Hey @ag_ana - what about those of us that don't use 1Password X?

    Should we be waiting for updates to the browser extensions? Or will this be a change to the 1Password application itself?

    Thanks for the quick turn around!

  • Solution with adding account field for 1P entry works for me.
    But I added it not to Saved Form Details but as a Section.
    Label = Account
    Type = Text
    Field value = my-aws-profile-name
    Refreshed AWS login page and let 1P populate web form details, works like before the issue now

  • ag_anaag_ana

    Team Member

    @dangul:

    I think it's because of the Chrome extension review process by Google. It might take a little bit for the latest version to show up because of this, but they are usually quite fast :)

Leave a Comment

BoldItalicStrikethroughOrdered listUnordered list
Emoji
Image
Align leftAlign centerAlign rightToggle HTML viewToggle full pageToggle lights
Drop image/file