"http auth" still missing!

yolanda
yolanda
Community Member

Hi there

I'am very disappointet that even after more than a year of waiting there is still no sollution for this needed feature.
Its clear for me that this feature needs API Support from the major Browser vendors, but there must be a other sollution if they dont move.
With 1Password mini it should be possible to sende key-sequences to a browser window.

Without "http auth" 1Password4 lacks one of the most needed feature. If i have to save the Logins in each Browser i dont need 1Passwort anymore.

// yolanda

Comments

  • sandman4sure
    sandman4sure
    Community Member

    Yes, I too was hoping it would return with 1P4...

  • nev
    nev
    Community Member

    I was hoping for this too. I can remember when 1Password could actually do this, way back.

  • Hi guys,

    HTTP Auth is an integrated feature to the browsers, the browser extensions cannot access that dialog, and that's why we cannot support it. The companies behind the browsers are aware that tools like 1Password need access to HTTP Auth dialogs but they're a bit slow to make it happen or may not do it because it is an outdated technology.

    We are hearing there were some progress in Firefox and Chrome and we'll revisit this but for now, this is not an issue with 1Password but rather the browser's extension APIs.

    As for how 1Password was able to do it in the past, we were using a binary plugin that goes inside the browsers (since they didn't have any APIs back then for extensions), and with the plugin, it could access and modify the HTTP Auth dialogs. Nowadays, this is a big no-no and so, all of 1Password browser extensions are using the official extension APIs.

    With 1Password mini it should be possible to sende key-sequences to a browser window.

    You can anchor the item's detail view on top of the auth window, click to copy each field and then paste into the HTTP Auth dialogs.

    As for being possible, it is actually difficult to do when the app is sandboxed and can't access another process.

  • pento
    pento
    Community Member

    Given that basic support was added to the Chrome API years ago, this feature could easily be added as a "you can enable this if you're okay with some UI weirdness" optional feature.

  • Uno_Lavoz
    Uno_Lavoz
    Community Member

    As for being possible, it is actually difficult to do when the app is sandboxed and can't access another process.

    KeePassX for OSX has a global auto-type feature that works on all apps sandboxed or not and does not depend on any extensions or menubar tools. You just hit your hotkey and your are logged in. When they can do it, why can't you? Btw: it's open source, so you can go and check how they do it.

  • yolanda
    yolanda
    Community Member

    @MikeT: Thanks but i already now that all. I hoped not to get the same answer as we get since a year or more. All you have to do is to send keystrokes to the browser window. There is a lot of software out there which is able to do that - so dont tell me its impossible. Then be honest and say that you dont want to solve that problem.

    // yolanda

  • sandman4sure
    sandman4sure
    Community Member

    Outdated or not, there are a lot of sites which still use these type of authentication.
    I really think you guys should try to come with a solution to this problem, because automatically logging in is the core functionality of your program.

  • Megan
    Megan
    1Password Alumni

    Hi all,

    Thank you for adding your feedback to this. Personally, I'd love to see support for this type of login as well. One of the major factors in implementing a new feature is time. Because we are a small development team, we are not always able to research, test and implement all of the features that we would like to. That being said, we do take the concerns of our users into account when determining which features deserve our time and attention, so I will certainly add your votes (and mine) to this issue. :)

  • PelCayeux
    PelCayeux
    Community Member

    Hi,

    I bought 1password4 yesterday and the mainly reason was to use it with many routers I've to manage. It's a big disappointment that http auth doesn't work and I hope you'll find a solution soon.
    Best regards.

  • dma550
    dma550
    Community Member

    I agree with everyone here - I switched from roboform at quite a cost on many machiens. RF could fill HTTP authorization. I need this unfortunately for many embedded services, routers, firewalls, etc.

  • JoshFinks
    JoshFinks
    Community Member
    edited October 2013

    This is really a shame. I had a good upgrade price from 3.x to move over to this but without it I'll have to stick with LastPass and waste the money that I spent on this.

    For the life of me I can't understand why it has not been implemented. Have there been so many different features that users have requested over the years that this just gets pushed down the list and so far hasn't been implemented? I think you'll see most of your much cheaper competitors have been doing this for a long time. You probably already knew that though.

  • Uno_Lavoz
    Uno_Lavoz
    Community Member
    edited October 2013

    LastPass for Google Chrome now contains support for basic authentication.

    1. As long as you're running the version of LastPass for Google Chrome with binary features, filling is supported for Windows and Mac OS X (Linux isn't supported at this time). LastPass Icon > Tools > About - Binary Component: True
    2. Saving basic auth logins is now supported in Chrome on Windows; however, it may not work on all basic auth logins. Saving in Firefox still offers the best basic authentication support.
    3. Basic authentication for Mac OS X requires that you enable access for assistive devices. In OS X 10.7 or less by going to Apple > System Preferences > Universal Access and checking "Enable access for assistive devices". In OS X 10.8+ by going to Apple > System Preferences > Accessibility and checking "Enable access for assistive devices" at the bottom.

    As you see, LastPass had to rely on a mishmash of buggy techniques, which don't work in all browsers, and only works sporadically in some browsers.

    For Google Chrome, they use a binary extension, which MikeT calls "a big no-no" from a security or stability perspective. LastPass still says "it may not work on all basic auth logins."

    For Firefox, I'm not sure what they do.

    On OS X, they use "access for assistive devices" which simply means that it sends keystrokes to the application as if the user was typing which is a very unreliable method and everything needs to be aligned perfectly or the data can be entered in very, very bad places, such as being typed into a web comment form instead of a login window.

    Other users have proposed that 1Password sends users to http://username:password@website.../ but this causes anti-phishing warnings to come up in most browsers (since a lot of phishing does stuff like http://paypal.com:termsofservice@malicioussite.com/). It would also require lots of changes so that 1Password knows that certain sites use basic auth and need to be handled in this way. And it would NOT allow automatic saving of such logins, since this workaround is just an ugly hack and not a proper fix and still can't actually interact with the Basic Auth window. It's just a massive, buggy, bag-of-hurt idea.

    So guys, let's face it... There is NO RELIABLE WAY to do Http Auth UNLESS browser vendors add extension APIs for doing so.

    Please, go to the browser makers and put pressure on them instead. They won't add features that they think nobody needs. And they are the ONLY ONES that can fix this situation.

    And even IF support gets added to browsers, it'll not be a quick and easy fix in 1Password. Considering that all the browser vendors need to add the feature, it could take years, if ever.

    So what other options are there? Well, you can easily open 1Password mini, pin it to the screen, and copy the username and password individually. It's no big deal, is it? If you TRULY log into a site so often that you get annoyed at this easy workaround, then just click the "Remember password" feature that's built into OS X's basic auth popups. This saves the password in the OS X keychain (which is very secure) so that you don't have to re-type it anymore.

    Luckily, 99.999999% of the web no longer uses Basic Auth.

This discussion has been closed.