Storing the name of an identity provider rather than a password

Hi - Increasingly I am choosing to use an identity provider like Google or Facebook to authenticate with sites. Storing these records in 1Password is a bit clunky. Some still have the notion of a user name, so you can't always use that field. It would be great to have different login type (' IDP Login" perhaps) with a pull-down list of identity providers (Google, LinkedIn, Twitter, Facebook, Salesforce etc.) instead of the User ID and password fields. Auto-tagging the type with the IDP would have added benefit too.


1Password Version: 6.3.1
Extension Version: Not Provided
OS Version: Not Provided
Sync Type: Not Provided
Referrer: forum-search:Storing the name of an identity provider rather than a password

Comments

  • brentybrenty

    Team Member

    @akunzle: It's an interesting idea, and something we'll continue to consider. But so far we haven't found a good solution that doesn't potentially break things across the various versions, platforms, and browsers we support. However, you can accomplish something similar already:

    1. Create a Login item for the website and only set the username, using a phrase that informs you of which login credentials you need to actually use. For example, one of mine says "Use your Google account, fooh!" You, of course, can be more or less self-deprecating as your taste (or in my case, lack thereof) dictates. ;)
    2. Then set the submit option for just that Login item to Never submit. That way, when you try to fill it, your past self will gently (or not) remind you that you need to click "Google" or whatever.
    3. Also, you can edit the Login item in 1Password to add the icon for the service you'll use as a visual indicator. For example, edit your Google login to copy (⌘C) its icon, cancel the edit, edit the intended target, select its icon, paste Googles (⌘V) to replace it, and save the changes.

    I hope this helps. Let m know if you have any questions! :)

  • khadkhad Social Choreographer

    Team Member

    @akunzle,

    I think Brenty provided a very practical answer, but I do want to provide some information you may wish to consider on a more abstract level.

    If you were using "Log in with Google/LinkedIn/Twitter/Facebook/Salesforce" on a site where there was a password breach you would not need to change your password. The way that single sign-on (SSO) systems work, the site would not be storing your Google/LinkedIn/Twitter/Facebook/Salesforce password in any form whatsoever. (I'll just refer to Google/LinkedIn/Twitter/Facebook/Salesforce as the SSO provider now.)

    However, SSO systems can work in a variety of ways. The way that SSO providers work is reasonably secure (as long as the SSO provider doesn't get breached), but it is also a privacy decision. By using a third-party SSO provider, you are telling the SSO provider every time you log on to every other site you use with that SSO provider. Some people may not be comfortable with that.

    In contrast, if you use 1Password to create a strong, unique password for every site and do not sign in using an SSO provider, 1Password is not in a position to even gather such information. We can't know what you log into when. We really know nothing about your use of 1Password, and this is deeply part of the design.

    This highlights the contrast between 1Password and SSO providers. If an SSO provider turned evil, they could do a lot of damage. They could log you into any site or service whether you want to be or not. They could lock you out of things. With 1Password, even if we were to turn evil, there is actually very little damage we could because you have your data on your own machine, and any copy of it stored on 1Password.com is encrypted and cannot be accessed by us.

    Now you don't have to actually be concerned about anyone "turning evil" for that distinction to matter. If someone has the capacity to do damage, they can do it by accident. If someone does not have the capacity to do damage, then they couldn't do it even by accident.

    This is part of the "principle of least authority". Systems should be designed so that they have no more authority than needed to perform their function. With (most) SSO providers you are ceding authority regarding your login credentials to a third party (or multiple parties). With 1Password you are not.

    Something to think about. Stay safe out there! :+1:

This discussion has been closed.