Why aren't my TOTP (one-time passwords) filling in on sites that request them?

First of all, I'd like to thank the Agilebits team for making such a smooth and efficient TOTP service built-in to 1Password on my Mac and iOS. The one-time passwords are generated with ease and are always correct, but they are not filling in properly on websites. For example, on Dropbox:

  1. I go to the Dropbox login site, and use the shortcut Command-Backslash to invoke 1Password's autofill. It accurately fills in the email and password and goes on.
  2. Now I am at the Two-Step Verification page. In an effort to have 1Password fill in my one-time password, I press the shortcut again (command-). However, in the input box for my OTP, my email fills in and obviously it is invalid. I then have to open 1Password or 1Password mini and find my Dropbox, go inside the details and copy the OTP, then go back to the page and paste it. This has grown to be very inefficient for me.

Is there any way to enable TOTP autofilling on Mac? If not, is this coming in later versions? Thank you so much!


1Password Version: 5.3.2
Extension Version: 4.3.1.90
OS Version: OS X 10.10.3
Sync Type: WiFi Server

Comments

  • MeganMegan

    Team Member

    Hi @adihaya,

    Thanks so much for the feedback here! I see that you've already made your vote for this feature in a few other threads. I can promise you that your vote has been shared with our team.

    For other users who come across this thread, currently it is not possible to fill time-based one-time passwords directly using the browser extension. It's a feature we are investigating though - it certainly would be handy!

    ref: OPX-758

  • I'll vote for this feature, too! Auto-filling one-time passwords would be a huge improvement, especially as they're becoming more commonly required.

  • Hi @cmurtaugh,

    I can't make any promises about when such a feature will happen but I would be surprised if it didn't. It's the sort of thing where not filling this information seems wrong and everybody here at AgileBits of course uses 1Password. I can't imagine Dave Teare doesn't want to see filling for TOTP codes for example :wink: There is work to be done before this can happen though.

    While I would be surprised if it didn't happen that isn't to say I may not be surprised. I'm unable to make any promises not just as to when but if. This just seems like something that would be natural for the extension to do though.

    I've added your voice to the choir :smile:

  • I want you to add a function to send out a value of TOTP to the WEB page.


    1Password Version: 5.4b31
    Extension Version: 4.4.3b2
    OS Version: OS X 10.11 PB4
    Sync Type: Dropbox

  • Drew_AGDrew_AG 1Password Alumni

    Hi @ChaMiu,

    Thanks for letting us know you'd like to be able to do that with 1Password! I've merged your message into an existing thread about the same feature request. I can't make any promises, but I'll be glad to add your vote to our internal tracker. For now, you'll need to copy and paste the TOTP into the login form on the website.

    If you need anything else, please let us know! :)

    ref: OPX-758

  • +1, this would be super-useful.

  • sjksjk oversoul

    Team Member

    Agreed, @bgrubins. Even personally as my own TOTP usage increases. :)

    Thanks for your +1 here on this!

  • edited October 2015

    Recently I decided to increase my security behavior as soon as possible if my visited Websites support TOTP. So you can have my vote for enabling auto fill of the TOTP factor in 1Password. You can count on my contribution to verify this functionality in your Beta releases.

  • Greetings @WGBeekhuis,

    Thank you and I do hope we can have something for you to test :smile:

  • Certainly +1 from me, would love the ease of autofilling these. Regarding autofilling google logins, is there a separate thread here discussing the future feature of automating the 3-step "journey" when logging into Google sites?

  • Hello @henkisdabro,

    There is this thread, Google multi-page login [need to fill on each page: "Fill Login on current webpage" shortcut]. As you can see from the title it isn't that somehow filling is failing with Google, but more because of how big Google are a larger percentage of the user base are experiencing how multipage logins currently operate in 1Password. That isn't to say we won't consider something else but I would imagine we would only do so very, very carefully.

  • Maybe this could be done by adding a new designation type in the web form details for "one-time password"?

  • Greetings @elyscape,

    The way the web form details section works mean it will likely require something a bit different. My experience of TOTP so far has been that the request for the TOTP code is always on a separate page. The web form details section though can only describe a single page and has to match the page exactly in terms of fields present for filling with the web form details section to happen. What we need to a reliable way to say this field is a password field and this is a TOTP code field and the field type in the page can't help us here. I think the developers will have to be creative to make something reliable. Who knows, maybe I'm wrong and it's easier than I suspect.

  • The web form details section though can only describe a single page and has to match the page exactly in terms of fields present for filling with the web form details section to happen.

    That's not been my experience. Personal Capital, for example, has the username and password fields on separate pages, but 1Password is able to fill it in with no trouble.

  • Hello @elyscape,

    I don't know that site in particular but I'm guessing the two pages are pretty simple with a single field on each. If we were to delve into the page source for both you would likely find the first, the one asking for your username is a field of type text. If we are asked to fill a page and we can't use the web form details section we assume a single field of type text is the username. If we see multiple text fields we literally have to guess. On a similar note the next page I expect to be equally as simple except this time the field type will be password. When we see a single field of type password we guess that's the password field and fill it in. Both these pages are filled but do so completely ignoring the web form details.

    So the tricky part with TOTP codes is you would expect to see two pages both with a field of type password and no other reliable way to distinguish them.

    I suppose if we could flag a field as TOTP, then in some cases if the web form details section detailed just the TOTP page then we could use the basic filling I described above for the first two pages and then let the web form details fill the TOTP page. That in theory ought to work for a few sites, in theory anyway. Saying that it wouldn't be the cleanest Login item to set up as we would need to manually save the Login item on the third page, inform 1Password that it is the TOTP field and then enter the other details. Again, maybe something the devs can work with and come up with something more elegant.

  • I just had an idea! Maybe there could be a way to specify a particular field (e.g. the OTP) that should be copied to the clipboard whenever that site entry is used to fill in the browser. Then the user could just go to the MFA field and hit paste.

  • Hi @elyscape,

    If TOTP code is present in item selected for filling copy TOTP to clipboard and display notification to user of action

    Given the current approach likely used by everybody at the moment is to click on the TOTP field to copy it's current value I have to say I don't see a downside to your idea. Both you and I would like to see something better but as a temporary solution it makes it easier for the user and I can't see a downside security-wise.

    I will definitely bring this idea to the developers and see what they think. Nice thinking there :chuffed:

    ref: OPX-758

  • I was just about to post about this myself! Definitely been wanting this really bad!

  • Hi @jpartain89,

    I've added your vote to the feature request. At this point nobody here at AgileBits doesn't want to see this happen, it's just about getting a few tasks dealt with so we can allow the next round of improvements to start the development cycle :smile: I don't think there will be one person who won't be happy if we can do something here :smile:

  • Thats honestly why I love you guys, always wanting more out of an already phenomenal product. Always beyond willing to keep showing us that "extra mile" is in no way considered excess to you!

  • Those are some very kind words, thank you @jpartain89. I hope you don't mind but I shared those with the whole team so all the developers get to have that warm glow too :smile:

  • synfinaticsynfinatic Junior Member

    +1 for this feature request. I'd love to be able to specify the field to place the OTP value as littlebobbytables has described rather then the current copy & paste method.

  • jxpx777jxpx777 Code Wrangler 1Password Alumni

    Thanks for this feedback, @synfinatic. This is definitely something we want to explore in the future.

  • synfinaticsynfinatic Junior Member

    One thing I should point out is that putting the OTP in 1Pass pretty much breaks the security goals of 2FA/MFA. I suppose I'm ok with that in certain limited situations, but ideally:

    1. Users should be made aware of this trade off. MFA really should be call MDFA (multi-device factor auth)
    2. Some kind of extra protection around the TOTP fill in would be a good start. Perhaps, forcing you to re-auth to 1Pass?
    3. ????
  • jxpx777jxpx777 Code Wrangler 1Password Alumni

    You're right about 1, @synfinatic. We've covered this elsewhere but most explicitly in our blog post on TOTP. I'm not sure about adding any additional barriers to users actually employing TOTP. IMHO, the added benefit of actually using TOTP and protecting that account against access outside of the devices where the TOTP secrets are stored is much more important than guarding the generated secret on the local device where you're using the codes. I hope that makes sense.

  • synfinaticsynfinatic Junior Member

    Excellent blog post and I agree with your analysis. You really should link to these kinds of posts from your User Guide so people (like myself) are more likely to find them so they can make better informed decisions. https://support.1password.com/guides/mac/totp.html

  • Hi @synfinatic,

    The guides are almost in a perpetual state of change so we'll certainly do our best to take your suggestion on board and see what we can do to improve the page :smile:

This discussion has been closed.