Feature Request: OTP 2FA MFA copy / fill keyboard shortcut (Two-Factor Authentication)

24

Comments

  • brentybrenty

    Team Member

    Hopefully we'll be able to add filling TOTP support in the future. Thanks for letting us know you'd find that useful! :)

  • Registered just to +1 this FR.

  • brentybrenty

    Team Member

    Thanks, and welcome! I hope we'll be able to make it even easier to fill TOTP codes in the future. :)

  • elyscapeelyscape
    edited December 2015

    I just posted this in another thread, but I had an idea for how to do this! You could add a designation for fields on a site entry that, whenever the site is used, automatically copies that field into the clipboard. Then the user could just paste the MFA key in the right place after filling in the login info.

  • brentybrenty

    Team Member

    Definitely an interesting idea. I see lil bobby has already passed it along. Thanks for the suggestion! :)

  • RunarRunar Junior Member

    Happy new year, and great work on 1Password 6 (even if this request did not make it)!

    Do you have any news regarding the progress on OTP improvements? :smile:

  • JacobJacob

    Team Member

    @Runar Nothing official at the moment, but keep an eye out. :)

  • Right. Support for this is important, though even mPre so for 1Password for Teams.

  • JacobJacob

    Team Member

    :+1::)

  • brentybrenty

    Team Member

    It's certainly something we'll consider implementing across all platforms. Just keep in mind that this discussion is about 1Password for Mac. ;)

  • cjs226cjs226 Junior Member

    +1

  • Drew_AGDrew_AG 1Password Alumni

    Thanks for taking the time to let us know, @mbd! Hopefully we'll be able to find a way to make this easier for you in the future.

    ref: OPX-758

  • ThomasThomas Junior Member

    +1. Same here. Use OTP all the time with AWS

  • Drew_AGDrew_AG 1Password Alumni

    Thanks for letting us know! :)

    ref: OPX-758

  • +1 have been wondering when we're going to get this feature.

  • Drew_AGDrew_AG 1Password Alumni

    Thank you for your feedback! It would certainly be a helpful feature. I can't make any promises one way or another about if/when we'll be able to do this, but I'll gladly add your comment to our internal tracker. :)

    ref: OPX-758

  • There's a question I have have for MFA support in 1Password:
    Doesn't this weaken security at least a little bit? Not in every case of course. If your credentials are compromised during transfer, you should be safe, but if your machine is compromised and someone gains access to your 1password data they have no further barriers in their way. Isn't this why usually when you read about enabling MFA that the recommended use is either dedicated hardware or your phone (which for many people doesn't have their passwords stored).

    Irregardless if you as a user choose to store your MFA in 1password it would be really nice to have some sort of autofill, so +1 to that. I'm just more concerned that people will not realize that they are weakening their security without knowing, even with the current feature set. Maybe a tooltip or warning label or something like that would be good here?

  • jpgoldbergjpgoldberg Agile Customer Care

    Team Member

    Thanks @Mallox!

    There are lots of different reasons for using two-step verification. And for those situations when the actual security properties of an actual separate factor matters then you should not be putting your TOTP secret in the same place that you put your password. But those circumstances are exceedingly rare in the use of TOTP.

    We need to separate out the security benefits we get from the one-timeness of two-step verification from the two-factorness of these systems. The threat models for which the two-factorness actually plays a role in helping most people is very very narrow.

    Consider the case you mention where the device from which you use your password is compromised. Remember that in these cases the attacker can get both the password and the temporary one time code as they are submitted in the web forms. TOTP does help you, but not because you got the six digit code from another device, but because the six digit code is a one-time password. It is the one-timeness of TOTP that is helping you, not the second factor.

    It is also important to note that for some sorts of services that you might be authenticating to, secrets will be delivered to the system on which you entered your password, and an attacker who has compromised that system will have access to those secrets (and perhaps more during the period you are logged in) even if they don't fully catch a reusable authentication mechanism. This actually leads to a larger point of confusion about the kinds of security that 2FA is supposed to defend against.

    2FA is supposed to defend the authentication process against a situation where only one of the factors is compromised. And it does that. But the key word there is "defend the authentication process". When one of your factors (say the computer that you are using) is compromised the attacker can do much more than just go after your authentication with a remote system. So if you are only using those systems to authenticate, 2FA is a strong measure against a compromise of one of them. But if you are going to use and hold secrets (not just authentication secrets) on a compromised system, 2FA does nothing for you.

    I'm not saying that there aren't benefits to 2FA and TOTP. I believe that there are. But the benefits of the actual two-factorness aspect of it is limited to special cases. If a service that you use explicitly tells you to not manage your TOTP long term secret in the same place that you manage your static password, then definitely follow their instructions. But my guess is that anyone who actually needs that kind of thing will not have you logging in with a web browser on a general purpose device and probably won't be using TOTP.

    The places where two-factorness of 2FA would be generally useful would be like the entrance to a high security facility. Suppose there is a gate with a trained guard, an iris scanner and numeric keypad. You are supposed to type in one-time code from a device you carry and have your eyes scanned (in front of the guard who would notice if you tried to just present a picture of someone else's eye). Now suppose that one of those devices is compromised. 2FA still will work because you aren't going to spend the rest of the day doing your top secret work on the compromised device.

    So as I said, if you really need the two-factorness, you almost certainly have other restrictions in place that would already rule out using this feature of 1Password.

  • wadeywadey Junior Member

    I'd like to cast my vote for this feature as well. Even something as simple as a shortcut to copy to clipboard or auto-copying to clipboard after filling the user/password.

  • MeganMegan

    Team Member

    Hi @wadey,

    Consider your vote added! :)

  • All I want is a hotkey to copy the TOTP token. I use 2FA on a regular basis and the current method of copying the token is really annoying...

  • Drew_AGDrew_AG 1Password Alumni

    Thank you for letting us know, @tkeeler! I'll gladly pass your feedback along to our developers. :)

    ref: OPX-758

  • +1.

    I have to do this daily for at least 1 account that has a different flow than most 2FA solutions: password and 2FA code have to be entered (concatenated) in the same (single) input field.

  • Drew_AGDrew_AG 1Password Alumni

    We appreciate the feedback, @XIII! I'll forward your comments to our developers as well. :)

  • For what it's worth you can add my vote for this feature as well. I hope you'll be able to find a way to work around the lack of a standard for this.

  • sjksjk oversoul

    Team Member

    Your interest-vote for this has been tallied, @Backspaze - thanks! :+1:

  • +1 on (1) getting a shortcut for filling in the TOTP, or even better, for (2) being able to designate the TOTP field in the saved login item so that it gets autofilled upon form submission.

  • brentybrenty

    Team Member

    Thanks for the feedback! We'll see what the best solution might be so we can perhaps add more TOTP features in the future. :)

  • Registered just to +1.

    At DreamHost.com, the OTP (aka MFA) field appears on a second webpage after submitting the login and password.

    Being able to flag a field with the right id or name in 1password as the OTP field could work. It's readily identifiable that way: <input type="text" name="mfa_password_1" id="mfa_password_1" class="js-mfa-input" ...>.

    When autofilling, how does 1password generally decide what goes where?

    Thank you,
    Joshua

This discussion has been closed.