Accessibility filling prompt

Comments

  • edited January 2018

    Device: Motorola X 2015 (Pure Edition)
    Model: XT1575

    After the upgrade to 1Password 6.7.1, the form filling feature is no longer usable. After entering in my PIN or master password I am left with a translucent gray overlay on whatever app I was in prior to bringing up the 1Password keyboard. Swiping up will remove the overlay, but I just end up back at the form without any option to fill it.

    This happens both with and without accessibility enabled for automatic form filling. It also happens in native apps and websites in Chrome.

    I tried a reboot, force stopping the app, clearing the app cache, clearing the app data, and finally uninstalling and reinstalling 1Password. None of which corrected the issue.

    Unfortunately, your app disallows screenshots, so a verbal description is the best I can do.

    Steps to reproduce:
    1. Enable the one password keyboard and/or accessibility.
    2. Open an app or webpage that has a form.
    3. Give focus to one of the form fields to bring up the 1Password keyboard (or click on the auto-fill popup).
    4. Long press on the 1Password icon (or press on the auto-fill popup).
    5. Type in your 1Password credentials
    6. Watch it fail...

    Expected behavior:
    The one password app keyboard should give me the option to fill in the form with my credentials (or they should be auto-filled if using the accessibility stuff).

    Actual behavior:
    I'm presented with a translucent gray overlay and nothing happens. Swiping up will dismiss the overlay, but I am taken back to the form and no option to have 1Password fill in my credentials is presented.


    1Password Version: 6.7.1
    Extension Version: Not Provided
    OS Version: Android 7.0
    Sync Type: 1Password Teams

  • This issue seems to be the same as https://discussions.agilebits.com/discussion/85541/accesibility-based-autofill-on-android#latest

    I can confirm that disabling "lock on exit" mitigates the problem.

    I would like to add however that the new "1Password can't verify that Chrome should have access to your X login. Do you want to fill it anyway?" prompt is annoying! Obviously, if I had to jump though all the hoops to get to that dialog I intend to pass my credentials to Chrome. Can you guys at least add a setting to remember my choice so I'm not prompted with that stupid dialog EVERY time I want to log into some website via Chrome?

    Thanks.

  • brentybrenty

    Team Member

    @jeffreydwalter: Thanks for getting in touch! I hope you don't mind, but I've merged your posts with the existing discussion on this topic.

    I'm glad to hear that disabling Lock on Exit helped a bit. 1Password can remember that you've associated an app with a particular login, but I'm not sure it's a good idea to associate a browser with whatever just for convenience, as that would allow it to be filled on any website without warning. I can see how that could be annoying though, so I'd be interested to hear if you have a better solution. Given this feature is not even a month old, I'm sure we'll continue to refine it. :)

  • How about you just get rid of the feature? I've been using 1password for several years and have never needed this level of hand holding. I still really don't need it. What problem are you trying to solve with this extra prompt anyway?

    If you're going to insist on this extra dialog, can't you guys look at the current url in chrome and associate the domain with some credential? Like you do with the browser extensions on the desktop.

  • brentybrenty

    Team Member

    How about you just get rid of the feature? I've been using 1password for several years and have never needed this level of hand holding. I still really don't need it.

    @jeffreydwalter: How about you turn it off? ;)

    In all seriousness, you can not use the new accessibility filling and continue using the 1Password Keyboard as we all have been for years. I'm sorry you don't like this new option, but no one is forcing you to use it. It's already proven very useful to many people, and we'll continue to improve it in every way we can.

    What problem are you trying to solve with this extra prompt anyway?

    Phishing.

    If you're going to insist on this extra dialog, can't you guys look at the current url in chrome and associate the domain with some credential? Like you do with the browser extensions on the desktop.

    We can't do the level of integration we do on the desktop on mobile. Maybe it will be possible in the future.

  • Turning off accessibility doesn't remove the annoying prompt... But thanks for being a smart ass.

    Also, while trying to turn off accessibility, it seems I have found yet another bug... The toggle for enabling/disabling autofilling doesn't reflect the actual state of the accessibility setting. 1password shows it's off, but when I click it and am taken to the system accessibility settings it's actually on (or off). :/

    Why can't I use accessibility filling and the keyboard, like I have for years?!? Because you guys think I need your protection from phishing?

    The previous behavior was just fine! Historically, I have had to enter my pin, actively search for my credentials in 1password (since you guys can't figure them out based on url), select them, and then click fill username and fill password. I have NEVER given my credentials away this way.

    I don't want or need 1password to tell me that it couldn't verify whether or not Chrome should be allowed to use said credentials EVERY TIME I want to log into some site!!!

    How about you give your customers the option to disable your crappy phishing protection, since it's more security theatre than actual security.

  • brentybrenty

    Team Member

    Turning off accessibility doesn't remove the annoying prompt... But thanks for being a smart ass.

    @jeffreydwalter: I was serious. It seemed like a clear solution. Perhaps I am not understanding which "annoying prompt" you're referring to. If so, I apologize. But you can keep the potty language to yourself. We appreciate the feedback on our software, but that sort of thing isn't actionable. I'm happy to help, but I need more details — and you'll need to adhere to the rules you agreed to when you joined:

    Forum guidelines

    Also, while trying to turn off accessibility, it seems I have found yet another bug... The toggle for enabling/disabling autofilling doesn't reflect the actual state of the accessibility setting. 1password shows it's off, but when I click it and am taken to the system accessibility settings it's actually on (or off). :/

    It does here. I'm not sure why it wouldn't be working on your device. Do you have a custom ROM installed? Whether I toggle it with 1Password running or not, it changes in both, as it hooks directly into the system accessibility APIs. I wonder if that's something we need to address differently on Android 7 though. We'll look into it.

    Why can't I use accessibility filling and the keyboard, like I have for years?!?

    I don't know what you mean. I'm still using the keyboard here in some cases myself.

    Because you guys think I need your protection from phishing? The previous behavior was just fine! Historically, I have had to enter my pin, actively search for my credentials in 1password (since you guys can't figure them out based on url), select them, and then click fill username and fill password. I have NEVER given my credentials away this way. I don't want or need 1password to tell me that it couldn't verify whether or not Chrome should be allowed to use said credentials EVERY TIME I want to log into some site!!! How about you give your customers the option to disable your crappy phishing protection, since it's more security theatre than actual security.

    I'm sorry you feel that way, but I'm not even sure what you're talking about at this point. I understand that you're frustrated, but the things you're saying don't reflect what I'm seeing in the app at all. For example, I was able to associate a "test" login with this forum; I'm not being prompted each time as you're saying.

    So let's get back to the basics. Can you give me a specific example? Chrome version, website URL, the exact steps you're taking, and what is (or is not) happening as you expect?

  • Brenty, you were being snarky... The prompt I'm referring to is the one that says, "1Password can't verify that Chrome should have access to your X login. Do you want to fill it anyway?"

    This prompt is displayed immediately after selecting credentials for use in Chrome.

    1. In chrome, go-to any website with a login form.
    2. Give focus to form for to bring up 1password keyboard.
    3. Hold the 1password icon to bring up the 1password dialog.
    4. Enter 1password pin or master password.
    5. Click search for credential.
    6. Select credential.

    At this point I am prompted with a dialog that says, "1Password can't verify that Chrome should have access to your X login. Do you want to fill it anyway?"

    I am running stock Android 7.0 on a Motorola X 2015 pure edition.

  • brentybrenty

    Team Member

    Brenty, you were being snarky...

    @jeffreydwalter: Please don't tell me my intentions. I was trying to lighten the mood. And I thought that would actually help you. I'm sorry it didn't, and that I offended you. :(

    The prompt I'm referring to is the one that says, "1Password can't verify that Chrome should have access to your X login. Do you want to fill it anyway?" This prompt is displayed immediately after selecting credentials for use in Chrome.

    That's what I thought you meant at first, and where I'm confused is that after pressing "Fill" to accept that, I am not being prompted to accept it again upon further attempts.

    However, later on, I thought you wanted that prompt removed from all logins period. That's where phishing is a concern. We can consider adding an option, but we do try to keep those to a minimum to avoid confusion and bugs due to complexity.

    1. In chrome, go-to any website with a login form.
    2. Give focus to form for to bring up 1password keyboard.
    3. Hold the 1password icon to bring up the 1password dialog.
    4. Enter 1password pin or master password.
    5. Click search for credential.
    6. Select credential.
    7. At this point I am prompted with a dialog that says, "1Password can't verify that Chrome should have access to your X login. Do you want to fill it anyway?"

    Thank you. We're on the same page there. I just don't know why you'd be prompted (#7) again when trying to fill the same login in Chrome again, as you've already okay'd it for Chrome. That's where things differ for me.

    I am running stock Android 7.0 on a Motorola X 2015 pure edition.

    Thanks! Could you tell me the Chrome version you have installed?

    If you're still having trouble, the best thing to do will be to restart your device, reproduce the same issue (filling, prompt, "Fill", repeat and get the same prompt), and then generate a diagnostic report so we can look at the logs to determine exactly what is happening:

    https://support.1password.com/diagnostics/

    Please send it to [email protected] and add the following Support ID (including the square brackets) to the subject of your diagnostics email before sending:

    [#HBZ-52565-838]

    If you’re reading this and you are not jeffreydwalter, this Support ID is for jeffreydwalter only. Please ask us for your own if you also need help.

    This will link your diagnostics to our current discussion. Let me know once you've sent it. Once we see it we should be able to better assist you. Thanks in advance!

    ref: HBZ-52565-838

  • I wasn't telling you your intention, just giving you my perception. Whenever someone says something cheeky and follows it with, "just kidding" or "in all seriousness" in comes across as snarky to me.

    That being said, I do appreciate the help and am only concerned with having a piece of software that's useable and something I want to use.

    I'm running Chrome 63.0.3239.111. I will reboot, repeat, and email the log.

    Thanks for your time and help.

  • brentybrenty

    Team Member

    @jeffreydwalter: Thank you. Likewise, I appreciate you being patient with me. I'm sorry for coming off as snarky. You're totally right.

    Looking forward to delving into this more deeply via email, but I also wanted to follow up here to address some good points you raised earlier about 1Password for Android and its current featureset.

    As I mentioned above with regard to filling and phishing, subsequent attempts at filling will show the item as a match after you accept it the first time because it now has the signature associated with it. This check is not only a secure way of identifying apps, but it's also something that Google is insisting on for Autofill providers, like 1Password is now. I agree that we can do better here though, and it's something we've been discussing. Since you'll likely end up associating many logins with Chrome in this process, it may be helpful if the search field could be pre-populated somehow, to save you time and also help avoid mishaps. I'm not sure this is possible, but it's something we're looking into. But on the other hand, Chrome is supposed to be getting full autofill support in the near future anyway, so this problem may simply go away if we're able to integrate with it more directly and fill based on the website. So one way or another, it will get better. It was just important for us to get these features built into 1Password in the first place so we're ready when other apps can support them, and we can also continue to refine things ourselves.

    As for taking screenshots, that's been a huge problem on Android. We haven't hear much about it lately since, of course, 1Password does not allow this, but it was perceived as a huge security issue before we had a way to disallow it. You're probably thinking, "Well, I can take a screenshot of 1Password on any other platform..." You'd be right, and I can see how that may seem strange. But we're dealing with different threat models depending on the environment. And it's more of a problem on Android since it is super easy to install apps, and there are a lot of shady ones out there. People assume they're safe just because it's from the Play Store, but every few months there's a huge issue with malicious apps (or benign apps with malicious code snuck into them) revealed. There is a lot less these apps can do on Android compared to desktop, and along with easy installation this gives people a false sense of security. Taking screenshots of information in other apps is trivial without these protections.

    Many people also sideload, which isn't really an option on iOS. Amazon requires this to be enabled for their apps, which many people use. Certainly on the desktop there's a lot more damage that can be done with apps downloaded from the internet, but there is a much higher hurdle for users to do this. Android makes it as easy as iOS to install malware without the same level of scrutiny over what is allowed in the store, or restrictions on installing from other sources. Malicious apps taking screenshots is problematic on Android since we have no way to make 1Password show its lock screen in Recent Apps instead of whatever you were viewing in 1Password, the way we can on iOS. So Android users face different threats, and we've disabled screenshots to help protect against that.

    However, we are seriously considering adding an option to allow screenshots. We haven't worked out all of the details, but it would need to be disabled by default and warn the user of the security impact this would have. Thank you for you feedback on this, and also on our new filling features. We really don't want you to be annoyed or have anything less than a wonderful experience with 1Password. We just need to do our best to make sure we consider all of our awesome customers as we develop new features and improve existing ones. Cheers! :)

  • edited January 2018

    @brenty thank you for your thoughtful response. I do appreciate it.

    As a software developer myself, I completely understand the challenges with security that you guys are trying to address and completely agree with the approach.

    After a reboot, my issue with the accessibility slider not reflecting the state of the 1Password accessibility permissions on the Android accessibility screen has resolved. It appears there was some transient bug there, perhaps in my build of Android?

    With that resolved, I am now seeing the behavior you describe, when I have accessibility enabled. The behavior is as follows:
    1. Enable accessibility in the 1Password app.
    2. Goto any login form in Chrome.
    3. Give focus to the username field.
    4. Click the "Autofill with 1Password" popup.
    5. The "Select the account that you want to use with bittrex.com" dialog pops up and is populate with the correct credentials from a previous attempt.

    That is all working great! Now that it's working, I don't have a problem with that UI.

    What's still annoying, and possibly not working as expected, is the case where I have 1Password accessibility disabled.

    The steps to reproduce are:
    1. Disable accessibility in the 1Password app.
    2. Enable the 1Password keyboard.
    3. 2. Goto any login form in Chrome.
    4. Give focus to the username field.
    5. Long press the 1Password icon in the 1Password keyboard.
    6. The "Select the account that you want to use with bittrex.com" dialog pops up and is NOT populated with the correct credentials from a previous attempt.
    7. Search for the credential and select them.
    8. The "1Password can't verify that Chrome should have access to your X login. Do you want to fill it anyway?" dialog pops up and I have to click "Fill".

    I suspect that what's going on here is the 1Password app is unable to verify the signature since Accessibility is disabled and so I'm being prompted to that fact and forced to accept by clicking "Fill".

    If that is the case, and while I can understand why, that's still annoying behavior. My expectation is that this feature should work the same regardless of whether or not accessibility is enabled.

    As for the screenshot feature, how about just prompting the user to authenticate before allowing the screenshot? Based on my usage, I assume 1Password users probably only want to take screenshots for support issues and the very rare instance outside that. I think requiring authentication is reasonable.

  • brentybrenty

    Team Member
    edited January 2018

    @brenty thank you for your thoughtful response. I do appreciate it. As a software developer myself, I completely understand the challenges with security that you guys are trying to address and completely agree with the approach.

    @jeffreydwalter: You're very welcome. Thanks for the kind words, and for sticking with me. New features can definitely have a bit of an adjustment period, for users and developers alike...and if you're both you'll have a visceral sense of that. ;) Thanks for your passion for 1Password! We couldn't ask for more. :chuffed:

    After a reboot, my issue with the accessibility slider not reflecting the state of the 1Password accessibility permissions on the Android accessibility screen has resolved. It appears there was some transient bug there, perhaps in my build of Android?

    That's great to hear! But please keep it in the back of your mind that if you do encounter an issue like this again, we'd love to get some diagnostics info. Hopefully you won't have any more trouble, but we're here if you do. :)

    With that resolved, I am now seeing the behavior you describe, when I have accessibility enabled. The behavior is as follows:
    1. Enable accessibility in the 1Password app.
    2. Goto any login form in Chrome.
    3. Give focus to the username field.
    4. Click the "Autofill with 1Password" popup.
    5. The "Select the account that you want to use with bittrex.com" dialog pops up and is populate with the correct credentials from a previous attempt.
    That is all working great! Now that it's working, I don't have a problem with that UI.

    It's a bit maddening when "turn it off and then on again" works...but I'm glad to hear that all is well for you now!

    What's still annoying, and possibly not working as expected, is the case where I have 1Password accessibility disabled.
    The steps to reproduce are:
    1. Disable accessibility in the 1Password app.
    2. Enable the 1Password keyboard.
    3. 2. Goto any login form in Chrome.
    4. Give focus to the username field.
    5. Long press the 1Password icon in the 1Password keyboard.
    6. The "Select the account that you want to use with bittrex.com" dialog pops up and is NOT populated with the correct credentials from a previous attempt.
    7. Search for the credential and select them.
    8. The "1Password can't verify that Chrome should have access to your X login. Do you want to fill it anyway?" dialog pops up and I have to click "Fill".
    I suspect that what's going on here is the 1Password app is unable to verify the signature since Accessibility is disabled and so I'm being prompted to that fact and forced to accept by clicking "Fill". If that is the case, and while I can understand why, that's still annoying behavior. My expectation is that this feature should work the same regardless of whether or not accessibility is enabled.

    Thanks for letting me know! Your explanation makes sense to me, but I'm not sure that is the case...and I can't reproduce it here. I wonder if this is a difference between Android 7 and 8. We'll look into it and see if there's something we can do to improve it.

    Just to make sure we're on the same page here, I'm not seeing a difference in this behaviour when filling in using the 1Password Keyboard versus accessibility. It sounds like you definitely are. For me, in both cases, 1Password "remembers" any logins I've allowed it to fill in Chrome the next time I invoke it there.

    As for the screenshot feature, how about just prompting the user to authenticate before allowing the screenshot? Based on my usage, I assume 1Password users probably only want to take screenshots for support issues and the very rare instance outside that. I think requiring authentication is reasonable.

    That's an interesting idea. I'm just not sure it's possible for 1Password to detect that and modify its behaviour on the fly. It's something to consider, but we're leaning toward making this an advanced option in the app — pretty straightforward, and less likely to have edge cases: it's either off or on. How does that sound? Honestly, I suspect you might prefer that to getting prompted each time. ;)

  • Yes, I am 100% certain that the behavior I described (being prompted very time and my choice never being remembered when accessibility is disabled) is occurring for me on Android 7.0 on a Motorola X 2015 phone.

    It's entirely possible this is a bug on this specific build of Android, as Lenovo has managed to screw up some pretty basic features in this build. (Like toggling bluetooth...)

    As rarely as I take screen captures in 1Password (so far only attempted for support reasons), whatever solution would be fine in my book. If possible, it would be ideal to prompt the user to preclude the possibility of a user neglecting to disable screenshots and having their screen captured by malware.

  • brentybrenty

    Team Member

    Yes, I am 100% certain that the behavior I described (being prompted very time and my choice never being remembered when accessibility is disabled) is occurring for me on Android 7.0 on a Motorola X 2015 phone.

    @jeffreydwalter: Ah, sorry. I wasn't trying to suggest you weren't sure. I think we're on the same page here even if 1Password isn't working as expected in your case. The trick is finding out why. Thank you for letting me know you're using a Moto X! Maybe we have someone with one of those to test. :)

    It's entirely possible this is a bug on this specific build of Android, as Lenovo has managed to screw up some pretty basic features in this build. (Like toggling bluetooth...)

    I got really confused here about the Lenovo reference until I remembered that Motorola had changed hands again a few years back. I wouldn't rule it out, so hopefully we can confirm or deny it one way or another. :sunglasses:

    As rarely as I take screen captures in 1Password (so far only attempted for support reasons), whatever solution would be fine in my book. If possible, it would be ideal to prompt the user to preclude the possibility of a user neglecting to disable screenshots and having their screen captured by malware.

    Totally! The default setting should be for screenshots to be disabled, with proper warning to the user if they try to allow them. Cheers! :)

  • mverdemverde

    Team Member

    @jeffreydwalter Brenty mentioned that you've been encountering a frustrating issue where you're constantly being prompted to confirm that you want to fill a given login item, regardless of whether you've previously filled it. From the details you've provided so far, it certainly seems like 1Password should be remembering the association between the Login item and the app.

    This leaves me wondering if I there might be a missing clue in your setup. There is a known incompatibility with saving app identifiers when syncing with the AgileKeychain format. From the discussion thread, I see that you're using a 1Password.com account. Could you tell me if you're also syncing with an AgileKeychain folder in either Dropbox or your local storage?

  • @mverde I am not syncing with Dropbox, and am not aware of any local storage that I would be syncing to. Looking through the menu in the 1Password app, I don't see any options to configure syncing. I just emailed you the a diagnostics report from the app with [#HBZ-52565-838] in the subject.

  • mverdemverde

    Team Member
    edited January 2018

    @jeffreydwalter thanks for sending the diagnostic report. I'll follow up with you by email to confirm a few details, but I think that I now have a better understanding of why you're seeing this behaviour.

    ref: HBZ-52565-838

Leave a Comment

BoldItalicStrikethroughOrdered listUnordered list
Emoji
Image
Align leftAlign centerAlign rightToggle HTML viewToggle full pageToggle lights
Drop image/file