Auto-fill doesn't always work

Half the time, auto-fill doesn't work. 1Password comes up but either doesn't show the site or application details, or if it does it doesn't fill it in when selected. I appreciate this may be related to auto-fill, but there are a few things that would make it simpler. First, you should be able to search for any password when auto-fill comes up, not just what 1Password thinks is correct. Second, it should be possible to copy the password/username to the clipboard so that if 1Password cannot fill it, at least I can paste it.


1Password Version: Not Provided
Extension Version: Not Provided
OS Version: Not Provided
Sync Type: Not Provided

Comments

  • brentybrenty

    Team Member

    @random483: Autofill is an iOS feature, so we don't have any control over its presentation or functionality. It sounds like there may just be some misunderstanding though.

    It should not offer to fill random login credentials for you, only those which match the current URL. If it were doing otherwise, that would be a bug and a security issue, since that would make it incredibly easy -- especially on a mobile device -- to fall prey to phishing scams, by selecting, say, your paypal.com login credentials to fill at paypa1.com (with a number one).

    You can, however, open 1Password's UI by tapping "1Password..." at the bottom of the Autofill prompt, and swipe to view details and copy from there if needed. We just can't modify the system UI.

    Anyway, I hope this helps. Let me know if you have any questions. :)

  • No, you misunderstand. When 1Password auto-fill cannot recognise a site or app, but 1Password comes up, it should allow selecting any other sites/passwords in the vaults, and let me select what to copy, etc. Otherwise I need to open 1Password manual and copy and paste. This happens very, very often, that even though the password exists, 1Password cannot determine it. By blocking the ability to browse the vault on auto-fill you make it necessary to switch apps. This is not how the Safari extension works. There, even if it doesn't recognise the site, I can go and browse any other entry.

  • brentybrenty

    Team Member

    No, you misunderstand. When 1Password auto-fill cannot recognise a site or app, but 1Password comes up, it should allow selecting any other sites/passwords in the vaults, and let me select what to copy, etc. Otherwise I need to open 1Password manual and copy and paste. This happens very, very often, that even though the password exists, 1Password cannot determine it.

    @random483: Can you give me a specific example then? I'm not sure how I'm supposed to understand otherwise. :lol: To be clear, should only be offering (a) login(s) to fill when there's a match. And if the app is not providing the OS with an associated URL in its package (or it differs from what you have saved), it should not be offering to fill. That's fundamental to 1Password's security model, and iOS 12 Password Autofill works that way too, or we would not be using it. You're free to copy and paste wherever you want, but we're not going to have 1Password facilitate promiscuous behaviour. That's the opposite of why 1Password exists in the first place, and why most people choose to use it.

    By blocking the ability to browse the vault on auto-fill you make it necessary to switch apps. This is not how the Safari extension works. There, even if it doesn't recognise the site, I can go and browse any other entry.

    That's simply not true. When I go to youtube.com in Safari and open the 1Password extension from the [ ↑ ] Share menu, 1Password does not offer any logins to me, because I have none matching that URL in any of my vaults. I can type in the search box at the top, but that only narrows the existing results, for example if I had many matching the site and wanted to find a specific one quickly. That's how it's always worked.

    The difference you might have in mind is with the 1Password desktop app/extension, if you I the same thing, I will still get zero results (since there is no matching login), but when I type in the search box I can find any login. Selecting it, however, will not fill it on the current page unless its URL matches; if it does not match, 1Password will instead open a that login's URL in a new tab/window and try to fill there, at the correct page. It just isn't possible for the 1Password iOS extension to open URLs in Safari, so we don't offer that option there. I'm sorry if that's caused some confusion.

    Switching apps isn't very hard though. That didn't even used to be possible, and it wasn't long ago that we gained the ability for 1Password to integrate with other apps at all in order to save and fill either. And we will still need to do that even now with many apps that have not added support for the 1Password extension, or been updated for Autofill. But even in those cases, 1Password 7's Quick Copy feature helps, as copying the username for an item, switching to another app, and then switching back to will result in 1Password automatically copying the password to the clipboard for you. We can't make other apps change, but that's one thing we can do to make it a little bit easier. :)

  • Sure. I've attached an example. This happens all the time, it's how 1Password works on iOS, so I assumed it was clear. My apologies, also very happy to discuss this in a private medium. This example is for Skype for Business. I have the password in 1Password, but as it is a corporate SSO, it doesn't show up against "lync.com" (the old SfB product domain). If 1Password would let me browse passwords, this wouldn't be an issue, and in fact it could learn which password I want for this app. Instead I need to exit SfB, go to 1Password, select the password, copy it, and switch back. In the browser extension all this is possible.

  • I understand completely what you are saying about facilitating phishing, but I don't agree. It's no riskier to let me search for other passwords from the auto-fill window than it is making me switch apps. That you don't fill it in automatically, I completely understand. But if I make a conscious decision to search and select / fill / copy another password, then the risk is the same as if I switched apps, but you've made 1Password a lot less friendly.

  • brentybrenty

    Team Member

    @random483: No need to apologize! Certainly if you prefer email, [email protected] works. Just post the Support ID you receive here and we can pick up the conversation. Typically though websites are pretty public, so I am sorry for not offering that option earlier if you do need to share examples that you would prefer remain private.

    The URL you're visiting and the URL you have saved in the login item are key. Do you have a login item saved in 1Password with a lync.com URL? I suspect not, and probably what's hanging you up is they're using an iframe or something for the SSO. But I won't know without being able to look at it myself.

    I understand completely what you are saying about facilitating phishing, but I don't agree. It's no riskier to let me search for other passwords from the auto-fill window than it is making me switch apps. That you don't fill it in automatically, I completely understand. But if I make a conscious decision to search and select / fill / copy another password, then the risk is the same as if I switched apps, but you've made 1Password a lot less friendly.

    You're not wrong. But please consider that we have to think of millions of people as we design 1Password. I have no double that you are on top of it, and perhaps are much less likely to make a mistake than a lot of people. But most folks don't think about this stuff, don't want to, and frankly are paying us to make sure 1Password doesn't put them in a position to do something that would be bad for their security.

    I really don't want 1Password to be unfriendly to you, but at the same time, while this is certainly an inconvenience for you and others in some cases, we have to weigh that against the inconvenience (understatement) of people giving their account information to the wrong people.

  • SfB is a bit unusual in that it does SSO through the main app - it's questionable as a secure method, though of course an app can always spy on it's own frames. However this isn't limited to SfB, it happens on others as well, like the Challenger app here in Singapore. Basically any time that 1Password cannot identify the app (or website) it doesn't let you search. That's it, that's the issue. You will eventually add this functionality, because other password managers will, or because it makes sense. But let's leave it there for now.

  • brentybrenty

    Team Member

    Interesting. Thanks for clarifying. It's not something we have plans to change ourselves, and, frankly, the industry has been moving in our direction over time on this due to very real security and privacy issues with autofill and phishing. but, specific to your example here, that's the result you get with iOS 12 Password Autofill. I'm not aware that Apple has plans to change that either. I would still be curious to dig into it more to see exactly what they're doing, but I do appreciate that I don't have much to offer you in return in this instance. :blush:

Leave a Comment

BoldItalicStrikethroughOrdered listUnordered list
Emoji
Image
Align leftAlign centerAlign rightToggle HTML viewToggle full pageToggle lights
Drop image/file