How to use the One-Time Password more quickly in the browser with 1Password

TheDave

I've recently migrated my 2FA codes into 1Password, and the code generation itself works flawlessly. However, my current process for logging in to a 2FA site is a bit painful, since it goes something like this:

1) Visit the URL for the site, hoping it bothers to remember me. Many sites are forgetful.
2) Hit CTRL+/ and hope it works.
3) Unlock 1Password
4) Hit the 2FA prompt
5) Start 1Password proper
6) Unlock 1Password again
7) Search for the site I'm already on.
8) Either copy/paste or Auto-Type the 2FA.

If I happen to remember to login to the full 1Password application first, it unlocks both the browser and 1Password application, but if I login to the browser before starting the 1Password application, I need to login to 1Password too. Is this necessary? Why? Note that the tray icon indicates I'm unlocked at this stage.

Second, 1Password knows the site to which I just signed in, is there a quicker way to find the current 2FA code and enter it? Perhaps for 60 seconds after signing in to a site with a 2FA code, and while on the same domain, the 1Password browser button should have a "2FA for $LASTSITE"?

It's possible I missed something feel free to tell me to RTFM if there's a better workflow.

MikeT

Hi @TheDave,

5) Start 1Password proper
6) Unlock 1Password again

What do you mean by proper, do you mean opening the main application? If yes, you don't need to do this.

You should be able to open the extension by pressing the icon on the browser's toolbar or press Control + Alt + \ to bring up the 1Password Helper, right-click on your Login and you can then click on the one-time password field to copy it.

Second, 1Password knows the site to which I just signed in, is there a quicker way to find the current 2FA code and enter it? Perhaps for 60 seconds after signing in to a site with a 2FA code

Yep, the above step I mentioned will let you do that.

and while on the same domain, the 1Password browser button should have a "2FA for $LASTSITE"?

That's a good idea, we'll look into that.

Is this necessary? Why? Note that the tray icon indicates I'm unlocked at this stage.

This article will explain: https://support.1password.com/enter-master-password-twice/

Basically, the 1Password Helper and the main 1Password applications are two separate processes and we can only unlock the other one when it is running.

So, if you've booted up the computer for the first time and unlock the 1Password Helper first without the main program opened, 1Password Helper won't be able to unlock the main program later. Once the main process has been unlocked by you, it can then be unlocked by the Helper process automatically as long as it is the same user session or in other words, the PC hasn't been rebooted or logged out.

To make this easier next time, unlock the main application first if you're booting up. Once this happens, even unlocking the Helper later will be able to unlock the application as well.

TheDave

You should be able to open the extension by pressing the icon on the browser's toolbar or press Control + Alt + \ to bring up the 1Password Helper, right-click on your Login and you can then click on the one-time password field to copy it.

Ahh, a right click, that makes sense, and wasn't something I stumbled across on my own. Thanks. I'll still like to simplify the process and remember the last item I used, including the site and specific login I picked.

The 1Password Helper and the main 1Password applications are two separate processes and we can only unlock the other one when it is running

Out of curiosity, why? Why can't the application talk to the helper to retrieve whatever information it needs to unlock when it starts?

Thanks!

MikeT

Hi @TheDave,

Why can't the application talk to the helper to retrieve whatever information it needs to unlock when it starts?

Technical and security-designed limitations in how we share secrets between both processes.

I'll still like to simplify the process and remember the last item I used, including the site and specific login I picked.

Adding the menu option to fill in the last used item's TOTP field might work here. We'll have to test to see if it works.

TheDave

Thanks!

MikeT

No problem. If you have more feedback, please do share anything you have. It's very helpful for us to figure out how to improve our experience to make it more simple to use.

Thank you for the thread!

RichardPayne

@TheDave
This is thread for the a more detailed discussion on the "multiple unlock" thing:
https://discussions.agilebits.com/discussion/38197/unlocking-needed-multiple-times

AGAlumB

Great link, RichardPayne!

@TheDave: Definitely something that's non-obvious and -- at least on the surface -- might seem a bit silly. But between browser extension sandboxing restrictions and our mandate that we encrypt data only as needed, it was necessary to do things this way. Cheers! :)

RichardPayne

But between browser extension sandboxing restrictions and our mandate that we encrypt data only as needed, it was necessary to do things this way.

I discussed the "only as needed" aspect in the linked thread, including why it's a non-argument in this case.

I've not heard an argument for this made on the basis of browser sandboxing restrictions before. Could you expand on that please?

AGAlumB

@RichardPayne: Well, for instance a Chrome extension can't access the filesystem outside of it's sandbox to, say, read and write data. Great security feature. But in the case of 1Password...well, this is exactly what we need the extension to do -- access your vault and whatnot.

So 1Password Helper (Windows) or 1Password mini (Mac) manages the data access and facilitates local websocket communications with the browser extensions to allow them to 'access' your vault and save and fill logins. Kinda cool, but that's also where we run into issues when security software blocks localhost for whatever reason. :crazy:

RichardPayne

Ah ok. I agree with what you said but I don't see how it's relevant to to the multiple unlock issue.

Nothing about it mandates separation of the main app and the helper, nor does it mandate key push over key pull.

MikeT

Hi @RichardPayne,

Nothing about it mandates separation of the main app and the helper, nor does it mandate key push over key pull.

It doesn't, this is a design of our choosing. We could've come up with a single unified program that's also serving as a websocket server and present separate contextual UIs and everything else that could be improved such as key pull. We chose to go with the current design because it is more robust this way for us.

RichardPayne

We chose to go with the current design because it is more robust this way for us.

Could you explain? I'm not seeing how a system involving IPC would be more robust than a single process.

MikeT

Hi @RichardPayne,

Stefan would be the best person to answer but a few reasons: we have a lot of things going on at the same time; Wi-Fi server (in main app only for now, not automatic), websocket server with a lot of algorithms for filling/saving (the Brain is in Helper figuring out how to fill before passing it on to extension), different contextual UIs for extension and application, and so on.

RichardPayne

@MikeT I understand that there's a lot going on but I still don't see the benefit of a multi-process solution.

MikeT

Hi @RichardPayne,

I don't think there are any benefits for majority of developers. If they can do it successfully in one single process and they likely will, that's great. Both implementations have their own pros and cons, and for us right now, there are more pros in our multi-process implementation.

Does this mean 1Password will always retain this implementation? No, we will constantly ask ourselves if it is the best we can do. On the OS X platform because we were on that the longest compared to the other platforms, we went through 2-3 complete iterations of our program already and we're not stopping to say we're done.