How do I fill in a one-time password in the Android 1Password app?

@oldmankit: Correct. Essentially 1Password's built in browser has only very limited functionality. The browser ecosystem on Android is much more vibrant than on iOS, and there are a number of powerful, trustworthy, privacy-focused browsers like Firefox, Brave, and others that are escaping me at the moment. So we definitely recommend using 1Password to fill in the browsers themselves, and then you can also copy and paste your TOTP code from the 1Password app. You can probably even use 1Password's new autofill and accessibility filling since you're on Android 8, and hopefully we'll be able to expand that to support TOTP codes as well in the future. Thanks for letting us know that's something that could help you as well! :)

@oldmankit I wanted to jump in here to help explain the discrepancy between the documentation and what you're seeing on your device. To do so though, I should probably provide a bit of background information...

Prior to the introduction of Direct Boot in Android 7.0, devices were encrypted with full-disk encryption if they were encrypted at all. This meant that a single secret was used to secure the contents of the disk (both system and user storage). If you set the system to require your password on boot, then your password became the secret that secured the contents of the disk. Otherwise, a device secret was used instead.

On devices running with this kind of full-disk encryption, enabling an accessibility service switches the device from securing the disk with a user secret to securing it with a device secret. Switching to using a device secret to secure the disk allows the accessibility service to loaded before the user has entered their password on device boot. I won't presume to speak for the engineers that made this decision, but my guess is the thinking was that a person needing the use of an accessibility service will also need that service to enter their password.

Direct Boot was added in Android 7.0 as a more flexible alternative to the full-disk encryption that was used in earlier OS releases. Rather than protecting the entire disk with the same secret, Direct Boot separates the storage into a part that is secured with a device secret and a part that is secured with a user secret. Services that need to run at device boot can be written to and read from the part that is secured with the device secret. Everything else is stored in the part that is secured with the user secret.

On devices that support Direct Boot, there is no need to make any changes to how the device is secured when enabling an accessibility service. This is because the accessibility service can be loaded from the part of the disk that is secured with the device secret before the user has entered their password.

When we wrote the documentation for the 1Password accessibility service, we had assumed that all manufacturers would be implementing Direct Boot for their devices running Android 7+. From what you've indicated above, this assumption doesn't hold to be true as it would appear that your device doesn't support Direct Boot. Thank you for pointing this out so that we can make the correction in our documentation!

Hi @mverde, and thanks a lot for that really detailed explanation. I get it now.

@oldmankit: Me too! He said it much better than I ever could. :)

The phone I am using is a Xiaomi Mi A1, which uses the "Android One" version of Android.

Ah, that explains it. I was wondering why I'd never seen anything like that.

When I turned on accessibility for 1Password, I received a security warning, though I can't remember the exact details of that. If it helps, I can disabled it and re-enable it in order to find the exact message I got. I was unsure and did a bunch of research which led me to the conclusions that I made earlier, which were possibly erroneous conclusions.

I'd actually really love to know the exact message, and posting it here may help others find this discussion if they run into a similar issue as well.

The reason I thought that encryption had returned to default password was because after doing this, the device booted up fully and only asked for a password to 'unlock', not to boot. But I see that this doesn't necessarily mean that the phone was no-longer encrypted safely.

Yeah it's definitely confusing. It's one of those things where there's some baggage left over from before, so down the road when everyone is on Direct Boot it will be simpler...until they introduce something else new, that is. ;)

I think since I spent a bit of time having to research it despite carefully reading the 1Password documentation, yes there is probably a bit more that could be done to explain what's happening. I was brand new to Android and was quite confused by the process, and obviously didn't want to do anything to reduce the security of my phone's encryption.

Absolutely! Not sure how we can condense this information into something that will fit well in the documentation, but Verde's already done some of the work there. :)

Thanks again for explaining how it works.

On behalf of Verde, you're most welcome. And thanks to you for bringing this to our attention! I'm sure you're not the only one who will encounter this. Cheers! :)

Thanks so much for sharing those details! I'm glad that it's not only working for you, but that others can benefit as well. I think what's happening is that this could mess up some accessibility services which would need to be available on boot, but since 1Password doesn't work that way it ends up being a non issue in this case. We're looking into ways we can account for this in the documentation. :)