One-time passwords don't autofill.

It would be really great if one-time passwords could be autofilled similarly to standard passwords. Currently to copy a one-time password, it takes the following:
cmd-opt-\ (open 1Password menu)
right-arrow (descend into default entry)
down-arrow (one or more times, to highlight the one-time password field)
enter (to copy)
cmd-v (to paste)
enter (to submit)

If it could be autofilled, that would all be one keystroke (cmd-) just as standard passwords work already.


1Password Version: 6.0.1 (app store)
Extension Version: 4.4.4
OS Version: OS X 10.11.3 Beta
Sync Type: iCloud
Referrer: forum-search:Autofill one-time passwords

Comments

  • jxpx777jxpx777 Code Wrangler 1Password Alumni

    Thanks for the suggestion, @jdfrench. This is definitely something we want to explore, but it's a tricky task to get right. The main reason being that the page where you enter the TOTP is not usually the same page that has the login form. Right now, 1Password doesn't really have a concept of a login that lasts more than a single page load. When we do get to exploring this, it will probably start out supporting the most popular sites (Dropbox, Github, Google, Evernote, etc.) before we can tackle making a general purpose solution that works for any login with a TOTP field. I don't have a timeframe to share for when you could expect it or even when it will bubble up to the top of our development list, but I wanted you to know it's something we're thinking about and want for ourselves too. :smile:

    Thanks!

    --
    Jamie Phelps
    Code Wrangler @ AgileBits

  • edited March 2016

    I've seen a few similar threads to this, from what I can gather you guys are struggling to solve the problem of integrating the TOTP field with the standard login procedure. Where the login will take place over two separate pages, rather than one. And how best to fit the extension into that.

    Obviously I don't know the internals of the system and may be overlooking a few things, but there seem to be a few clear solutions to me.

    1. Alternative shortcut. A simple keystroke away from the main one would do (cmd+shift+\) to autofill a onetime password to the first text field detected on the page.
    2. Smart adjustment of the shortcut function. This could be done in a number of ways, most simply, if a user has just autofilled a login (within the last minute, say), and the user has specified a onetime password field, then the next instance of (cmd+\) on the same website will autofill the onetime password.
    3. Perhaps the most complicated: the addition of something like 'teach 1password a custom field' in the 1password mini toolbar (probably somewhere next to the password generator). This would consist of a couple steps after being clicked:
      a) Prompt the user to select their custom field on the webpage. (Once selected, 1password internally takes note of the URL and field name)
      b) Prompt user to select which custom value to autofill from an existing 1password item. Once a custom field is selected, 1password will map the two together as a substitute autofill for the normal login credentials in the case of both the noted URL and custom field name being detected on a page.
  • Hi @aidantwoods,

    If my understanding is correct a lot of the difficulties we're facing are due to design decisions we made when login pages were very different. It used to be login pages were fairly simple and all you'd be asked for was a username and password on a single page. Now many sites are still like that and I do firmly believe a nice clean, dedicated page for logging in is a very sensible move rather than some of the odd designs we now see.

    The alternative shortcut would likely work but I do hope we can do something a lot better than that. I would feel we've kind of failed if we need to do this, there has to be a better solution but I do understand why you suggest it, you want something that helps you fill the TOTP codes. I can imagine there would be resistance to another shortcut but then you're posting because we've not managed to do anything better yet - a very powerful counter argument.

    We have mulled over the idea of copying the TOTP code, if it exists in the Login item, to the clipboard when you fill. It isn't elegant but this has one small advantage over your suggestion of the small adjustment in suggestion 2. For some sites the TOTP code is requested on a second page but there are instances where it's not until the third page that you are asked for the TOTP code. While copying the TOTP code to the clipboard isn't great it would at least leave you as the user in control of when it was used and as the user you would know when it can be correctly used and when it isn't - one of the things we've struggled with adding to 1Password in regards to TOTP.

    I suspect what we really need to do is a fairly big restructuring of how we view a login "page". The way everything has worked until now is a Login item really works on a single page and that's what the web form details section understands, it's a fingerprint for a single page. We can work with multi-page login processes but in a very specific way. With the advent of TOTP codes the ideal approach would be something that views a login process as a potentially multi-page affair and just like with the username and password fields we could flag a certain field as being the TOTP field. This sort of approach would, in theory or at least in my head, allow 1Password to fill any one of x pages and when on the page for the TOTP code fill it properly. The problem is the entire data structures we use weren't designed for this so I envisage it would be a massive effort especially as we'd want it to work over all our supported platforms. I'm not a developer either though, maybe there is something cunning we can do that wouldn't necessitate such a massive change whilst still doing something neat.

    I know it won't feel like much but we all do use TOTP here at AgileBits too so it isn't that we don't feel your pain. We all have to use the very same implementation so we'll benefit as much as yourself from a better approach.

  • I don't think it needs to be that fancy. Just give me shortcut keys for 'copy username to clipboard', 'copy password to clipboard', and 'copy OTP to clipboard'. Preferably let me assign them.

    For example, I currently press ctrl-\ to fill in my password (or option-\ on mac), and then I have to go through all the steps to copy the OTP to the clipboard by navigating the menu, click back into the OTP field of the web page, paste and continue. This could be reduced to a sequence of: ctrl-\, ctrl-1, ctrl-v, enter. And would save me a lot of time each day as I work in a number of different environments that each have their own OTP.

  • jxpx777jxpx777 Code Wrangler 1Password Alumni

    @monkeybox Thanks for the feedback. I actually had a discussion with one of our Mac developers about what it would take to support TOTP filling recently. I went into it thinking it was a hugely complex issue and then after typing out my thoughts for a little bit, I realized it's not nearly that bad.

    It still requires some architectural changes and some coordination with our Mac and Windows teams to get everything lined up, and that will be quite some time before we have the breathing room to make these changes, but I did want to post and let you know it's something we're actively thinking about and definitely want to pursue in the future.

  • I am reopening this topic with another suggestion. How about this: for any login where a OTP is included in the 1Password record, after autofilling the user name and password, 1Password could automatically copy the numbers in the OTP to the clipboard. As a result, entering the OTP into the next webpage that opens would be as simple as command (or control) - V, as the OTP would already automatically be on the clipboard. Could that work?

  • jxpx777jxpx777 Code Wrangler 1Password Alumni

    This is certainly one option, although certainly not the most elegant solution. We're considering our options here, but the amount of coordination required means that it's not something we can get to in the near term. Thanks for your patience.

  • Is it possible to use the webform section to link the TOTP?

    For example the webform has an text box with the name 'passcode'. In 1Password you could assign that to the One Time Password.

    Not sure of the exact user flow, and may be a little hacky (as you'd have to inspect the web page) but would be a cheap alternative. Perhaps 1Password could detect when the form submits the same value as the TOTP and 'suggest' you use this field etc.?

  • jxpx777jxpx777 Code Wrangler 1Password Alumni

    Right now, what you describe isn't exactly possible. The Web Form Details aren't intended to be edited and they don't allow adding a TOTP field there. This is still something we're very interested in, but I can't offer more on a timeframe for it just yet.

This discussion has been closed.