Subdomains and iOS12 autofill

a1andreasa1andreas Junior Member

Hi!
I just tried out the new beta of 7.2 for iOS with autofill, and this feature is in many cases just amazing!

There is one specific use case where it is entirely unusable though, and that is if I have several different logins with the same login name on different subdomains.

For example, if I have two different subdomains that is server.domain.com and git.domain.com and my login name is the same for those ("user"), but the password is different, and then I use autofill for any of those, this happens:

I first get a suggested login, but it seems to be any random login from any subdomain to domain.com, and not for where I actually try to log in.

So, I click the key icon instead to list all logins for the current site, and these are the options I find in the list:

user
for domain.com

user
for domain.com

So, in other words, there is nothing that differentiates those logins at all in the list, so I will have to guess or open the 1Password-menu instead (where it is not clear which login belongs to the current subdomain either, but at least better in most cases).

For some domains I have probably over 20 different logins for different subdomains but with the same username in this way, and it is a mess to handle that in the normal 1Password login list, but practically unusable with autofill.

In my view, this problem is easily solved (if Apples API allows it of course) by making it possible to only list logins for the specific subdomain I'm on.
I already missed that feature far more than anything else in the iOS version of 1Password, but the behaviour in autofill makes this feature even more needed than before.

It would be truly amazing if you would fix this issue and make autofill (and the rest of 1Password on iOS) become as good as it could be.


1Password Version: 7.2 (70200001)
Extension Version: Not Provided
OS Version: iOS 12 DP9
Sync Type: Not Provided

«1

Comments

  • izmacizmac

    Similarly for me, I have a number of different login credentials for the same internal platform.

    They are autogenerated and have very difficult to discern differences in a list, e.g. [email protected] vs [email protected], can the autofill list be configured to show the normal language 'name' of the login instead?

  • XIIIXIII

    +1 for the feature request from @izmac, for a slightly different use case:

    several Mastodon accounts where "plus addressing" is used to get a different email address per Mastodon instance.

  • rapamaticrapamatic Junior Member

    +1 to show the name of the login (like what happens when you use the 1p share sheet). I have multiple logins for some domains, and in fact some sub-domain logins with the same username, and there is no easy way to distinguish them with the current setup.

  • MrRooniMrRooni

    Team Member

    Hi folks,

    Thanks for the great feedback here. The list that shows up when you tap the key is a presentation of the information we provide to the Password AutoFill API: A username and a domain. We don't have any way to present this information differently as it's handled by the OS.

    We could limit things to exact matches for the domain you're on, but I think we'd run into problems in the other direction. An item would match on appleid.apple.com, but not on developer.apple.com (for example).

    If you scroll to the bottom of that list and tap on the 1Password… button it will bring up a 1Password UI that shows the matching items and their titles.

  • a1andreasa1andreas Junior Member

    Hi MrRooni

    Thanks for your answer.

    It makes sense to me that the default behaviour for this would be that everything is displayed, because most people do of course not have lots of different logins for different subdomains, and would rather be confused by a behaviour like this.
    It does also make a lot of sense to let us (fewer) power users of 1Password that have a big need for exact matching of domains, and understands how it works, to have this feature available.
    For me, and I am sure many others who work like me, this would make 1Password much better in our daily usage, and almost all of us are probably also the kind of users who does not have an issue with having to enter both appleid.apple.com and developer.apple.com in our AppleID-entries, and the same for other accounts like that (thats how mine is actually already set up anyway)

    So, in my view it is logical that the default is to not do exact matching, but to give a setting somewhere (probably quite hidden) for those of us that really really need exact matching of domains to be able to work efficiently with 1Password.

    Another solution to this, that doesn't require options that some users might not understand, is to default to exact matching for Apples autofill-menu, and then let the user click on "1Password" at the bottom of the list if the login is not in the list, and then display exact matched entries on top of the 1Password-list (like on Mac) and the rest of the logins for the domain (not exact matched) following that.

    Any of these would solve the problem and make 1Password much much better for me and all those who works in a similar way to me.

  • rapamaticrapamatic Junior Member

    Is there any way to add some description to the end of the domain name or username that wouldn't interfere with the iOS domain matching? For example, if I had "username" for abc.mydomain.com and "username" for def.mydomain.com - both with the same username but different passwords, it could display as:

    username
    for mydomain.com (abc.mydomain.com) - 1Password

    username
    for mydomain.com (def.mydomain.com) - 1Password

    Or, could you change the app name descriptor for each entry, something like this:

    username
    for mydomain.com - 1Password (abc.mydomain.com)

    username
    for mydomain.com - 1Password (def.mydomain.com)

  • rudyrudy

    Team Member

    @rapamatic,

    are you asking about this in the context of the QuickType list?

    If so then nope, we provide apple with a username and a domain or url and they decide the presentation for the QuickType and its extended listing.

  • rapamaticrapamatic Junior Member

    Yeah, I was wondering if there was some way to hack the QuickType list to show more info. Sounds like Apple has that pretty locked down, without leaving you with much room to play with things (at least for now).

  • brentybrenty

    Team Member

    I think that's the intention. But it's possible it may become more flexible in the future. :)

  • I would just like to echo my support for a "matches subdomain" toggle hidden somewhere. I'm also a developer (web based), and have many domains with subdomain a that have different programs with different logins on them. It's really a challenge in those cases to use this otherwise great feature :)

  • brentybrenty

    Team Member

    @RosemaryOrchard: We're pretty reticent to introduce "features" that would effectively break (at least as far as the user is concerned) login matching for most people (see Rooni 's example above), but it's something we'll continue to evaluate.

    I'm curious though, this is how 1Password has always worked, showing all matches for the domain. I'm glad that you and others are giving us feedback on this, but I'm also very curious: Why now? As mentioned above, we don't have any control over the presentation of Apple's iOS 12 Autofill feature. We do, however, have control over our software (when you tap "1Password..."). What if we were able to sort matching logins there as something like "exact matches" at the top and "other matching logins" below? Do you think that would be helpful?I'd love to pick your brain as a web developer, especially considering no one else I've discussed this with has elaborated. :)

  • Hi @Brenty! That makes sense, and is as it should be - as much as I wish it were otherwise ;)

    Why now is indeed a good question, and there are two reasons for me: Firstly I've been meaning to request this for ages, we have two systems at work a test and a production system, they have very similar URLs, identical usernames, but different passwords - and every time I try to log in with the wrong password I've thought "I need to find a fix" for this, I just hadn't got around to it until now. The second reason is mentioned by others above: I can't see the title I've assigned to a username/password combo. I understand that there's nothing you can do about this (something I'm going to file feedback with Apple about), but it really throws the issue at me every time I try to log onto something on one of my domains - the username looks right, so I tap it and then it's wrong which is somewhat disappointing (not a dig at you guys, I love 1Password and there's nothing you can do about that right now).

    If you could sort exact(er) matches at the top that would be awesome, but something else I've been chewing on thought wise since my first post would be to specify "the domain must start with" on each URL field, so I could have awesome.rosemaryorchard.com and fun.rosemaryorchard.com in 1 1Password entry, but on rosemaryorchard.com that one wouldn't show up. That would probably only show up as an option if something else hidden deep within settings had been enabled though, because otherwise I can imagine one of my parents enabling it and then coming to me for help wondering why their Amazon login broke! :p

    Please let me know if I can answer any more questions for you! :)

  • brentybrenty

    Team Member

    Why now is indeed a good question, and there are two reasons for me: Firstly I've been meaning to request this for ages, we have two systems at work a test and a production system, they have very similar URLs, identical usernames, but different passwords - and every time I try to log in with the wrong password I've thought "I need to find a fix" for this, I just hadn't got around to it until now.

    @RosemaryOrchard, that's perfect. Thank you! It really helps. I guess that, even though it's something you (and perhaps others) have been thinking about for a while, the beta (iOS 12 with Autofill, 1Password for iOS with Autofill, though likely both) is the impetus for feedback now. That makes sense. I wanted to make sure there wasn't some change we'd made that I'd overlooked or forgotten about. Hard to keep it all straight sometimes! I appreciate the perspective. :)

    The second reason is mentioned by others above: I can't see the title I've assigned to a username/password combo. I understand that there's nothing you can do about this (something I'm going to file feedback with Apple about), but it really throws the issue at me every time I try to log onto something on one of my domains - the username looks right, so I tap it and then it's wrong which is somewhat disappointing (not a dig at you guys, I love 1Password and there's nothing you can do about that right now).

    I hear you. And thanks for the kind words! At this point, I'm just happy that Apple has opened up Autofill to us in iOS 12. Sure, we'd love to be able to have more control over the presentation, but I'm not sure that's something Apple is going to do. There are not only good business reasons for them not to, but also safety as well (we've all seen invasive UI and ads anywhere people can stick them, and I'm sure Apple is happy to keep a clean, uncluttered, uniform UI for filling passwords and not have to worry about policing this). I still would love it if we could offer our own, more 1Password-like interface for people using their 1Password data in Autofill, but having the "1Password..." option at the bottom seems like reasonable compromise. It offers a way for more advanced users (or anyone) to easily get to 1Password itself if needed. So that's probably the way forward for now.

    Hi @Brenty! That makes sense, and is as it should be - as much as I wish it were otherwise ;)

    Indeed, I (and I'm sure most if not all of my colleagues here) can definitely relate to having a lot of logins for a single domain! ;) This is not so big a problem on a computer, since the 1Password desktop extension can not only offer whatever UI we want in addition to filling (we've already got a good sorting mechanism there: "discussions.agilebits.com passwords", with "related agilebits.com passwords" below it, for example), but also it's often a single step to fill: ⌘ \ (or Ctrl \).

    As I imagine you're also painfully aware of from web design, mobile platforms are a different beast since they're almost always going to have less screen real estate to work with and be touch-based. Add to that the

    If you could sort exact(er) matches at the top that would be awesome, but something else I've been chewing on thought wise since my first post would be to specify "the domain must start with" on each URL field, so I could have awesome.rosemaryorchard.com and fun.rosemaryorchard.com in 1 1Password entry, but on rosemaryorchard.com that one wouldn't show up. That would probably only show up as an option if something else hidden deep within settings had been enabled though, because otherwise I can imagine one of my parents enabling it and then coming to me for help wondering why their Amazon login broke! :p

    Yep! This is where we're concerned about adding "advanced" options. We get asked for a lot of these, and of course if we implement all of them 1Password would be a mess. But even if we only do one or two, it can cause a lot of confusion. A lot of people aren't even aware of the "Never display in browser" flag that can be set in logins...yet we not infrequently find that when someone is having trouble finding a login it's because they have enabled it for some reason. It's not an easy problem to track down, so 1Password may be better off without that...but it's really hard to remove options; better to avoid adding them in the first place unless absolutely necessary, if we can. And I'd be lying if I said I'd never done that to myself and gotten thrown off by the "missing" login later. Yikes. So it's not just mom and dad we need to look out for! :lol:

    Please let me know if I can answer any more questions for you! :)

    Sure! The one thing that I think I'm still missing here is what you mean by this: "specify 'the domain must start with' on each URL field, so I could have awesome.rosemaryorchard.com and fun.rosemaryorchard.com in 1 1Password entry, but on rosemaryorchard.com that one wouldn't show up". I've got an idea of the direction you're thinking, and it sounds a bit fraught, but if you can clarify I'd really appreciate it. :)

  • Sure! So what I mean by that is on http://awesome.whatever.com the awesome login would be available, but not on http://whatever.com - I understand you'd have to fuzzy match both http and https (or maybe make us set up all of them, power users probably wouldn't mind), but if the domain needs a sub domain that's the best I've thought of so far. (In my case, the login that functions on the primary domain rarely functions on any sub domain).

    Is that any clearer?

  • a1andreasa1andreas Junior Member

    Hi @Brenty

    I have also been thinking about this issue for a long time (probably years), but came to bringing it up here because the AutoFill feature makes it so much clearer that this is an issue. So, nothing broke or anything, it's just that Apples implementation of AutoFill makes this problem much more obvious even though it has really been there much longer.

    I agree that putting exact matches on top of 1Passwords own list (like on Mac) does solve this problem really well, as long as that list (not Apples AutoFill list) is used.

    I have another idea for solving the issues with Apples list too, that in my view would be perfect in combination with putting exact matches on top of the 1Password list.
    In some places when I try to use AutoFill, it goes directly to the 1Password list instead of first displaying Apples list. For me it would be perfect if it always did that, except for when there is only one login item for a specific site.
    So, what if you gave Apples API no login items at all, except for sites where there is only one item to choose from?
    If I understand it correctly this would lead to there being a button to fill the one available password right away when there is only one, but when there are more options it would always use the 1Password list that is better organised and easier to select form, and always skip Apples password list.

    The combination of those two (with the second one possibly an option: "Always use 1Passwords own list with AutoFill") would be as close to perfect as it gets in my view.

  • brentybrenty

    Team Member
    edited September 2018

    @RosemaryOrchard: Ah, thank you. Got it! It's logical, but I think the approach of having a login saved as subdomain.domain.tld only fill at that subdomain has the same difficulty for most users (mom and dad, and me too, at least for non-work stuff) discussed above: my www.amazon.com login would be "broken" at smile.amazon.com. So I still feel that doing something with 1Password's UI might allow us to help more people without hurting others. :)

    ref: apple-2113

  • That makes sense, and I would suggest if it were implemented the way I was thinking it would need several steps to turn it on (one step to enable it somewhere in settings, or even the OmniGroup approach of a "hidden" setting that can only be triggered via URL scheme - and then once in each 1Password entry). You folks know best though! :chuffed:

  • brentybrenty

    Team Member

    I have also been thinking about this issue for a long time (probably years), but came to bringing it up here because the AutoFill feature makes it so much clearer that this is an issue. So, nothing broke or anything, it's just that Apples implementation of AutoFill makes this problem much more obvious even though it has really been there much longer.

    @a1andreas: Ah, also a good point!

    I agree that putting exact matches on top of 1Passwords own list (like on Mac) does solve this problem really well, as long as that list (not Apples AutoFill list) is used.

    I'm not sure that's something we can do in the short term, but it may be something we can add in an update. I'll bring it up with the team. :)

    I have another idea for solving the issues with Apples list too, that in my view would be perfect in combination with putting exact matches on top of the 1Password list. In some places when I try to use AutoFill, it goes directly to the 1Password list instead of first displaying Apples list. For me it would be perfect if it always did that, except for when there is only one login item for a specific site.

    This intrigues me, as I'm not sure why that would be. What's the context? Could you clarify what you're seeing? If it's simpler, take a screenshot of this. To include it in your reply, simply click the document button in the top of the comment field, and select the file you wish to share:


     
    Just be sure not to post anything sensitive, as this is a public forum. Thanks in advance!

    So, what if you gave Apples API no login items at all, except for sites where there is only one item to choose from?

    Hmm. I'm not sure that would be desirable for most people. It's an interesting idea though. It just seems like a bummer for everyone with more than one login for a site to effectively be opted-out of autofill automatically.

    If I understand it correctly this would lead to there being a button to fill the one available password right away when there is only one, but when there are more options it would always use the 1Password list that is better organised and easier to select form, and always skip Apples password list.

    I think that there would be a lot of undesirable consequences of doing it that way, but it is a cool idea. If we had control over the whole experience either way, I'm sure we could come up with a slick way of presenting it. Unfortunately that's not the case here.

    The combination of those two (with the second one possibly an option: "Always use 1Passwords own list with AutoFill") would be as close to perfect as it gets in my view.

    I think that the arguments against adding options tend to outweigh those in favour, but it's something we continue to evaluate on a case-by-case basis. Thank you for sharing your thoughts on this! :)

  • brentybrenty

    Team Member
    edited September 2018

    That makes sense, and I would suggest if it were implemented the way I was thinking it would need several steps to turn it on (one step to enable it somewhere in settings, or even the OmniGroup approach of a "hidden" setting that can only be triggered via URL scheme - and then once in each 1Password entry). You folks know best though! :chuffed:

    @RosemaryOrchard: I don't think that's a given, even if we do have some experience in his area, so it's really good to get these kinds of perspectives from you and other passionate 1Password users. Thank you! :chuffed:

    It's certainly a tough call. On the one hand, that would prevent people from enabling this accidentally. On the other, it means those who do want it have to find out the secret incantation and jump through hoops. Which can be kind of fun, admittedly, but we'll see if we can't come up with a more intuitive solution to this problem. Cheers! :)

  • a1andreasa1andreas Junior Member
    edited September 2018

    Hmm. I'm not sure that would be desirable for most people. It's an interesting idea though. It just seems like a bummer for everyone with more than one login for a site to effectively be opted-out of autofill automatically.

    @Brenty: Actually it would not disable AutoFill at all. Thats my point. It would just change it's behaviour for all sites with more than one login item, so that you would get one password-button above the keyboard, and when you select that you go straight to the 1Password list, skipping Apples own AutoFill list, but still using the AutoFill feature, just with 1Password's own UI instead of Apples.

    Below is a screenshot of how it looks when trying to use AutoFill on a site with no saved passwords. If 1Password gives the Apple API no logins for a specific site, this is what happens.
    When you select that password button above the keyboard (it says "Password" in Swedish in my screenshot, because my phone is set to Swedish) you get to 1Passwords own login list, and when you select an item there (if there are any), it uses AutoFill to actually fill the login form with that information. (same as showing Apples login item list and then selecting 1Password at the bottom of that list)

  • brentybrenty

    Team Member

    Actually it would not disable AutoFill at all. Thats my point. It would just change it's behaviour for all sites with more than one login item, so that you would get one password-button above the keyboard, and when you select that you go straight to the 1Password list, skipping Apples own AutoFill list, but still using the AutoFill feature, just with 1Password's own UI instead of Apples.

    @a1andreas: Exactly. That's my point. As I said,

    everyone with more than one login for a site [would] effectively be opted-out of [Apple's] autofill automatically

    They would have to use the "1Password..." button, as the suggestion was to not show any logins in Apple's Autofill UI if there is more than one matching the site. I'm not sure it would be a good user experience to allow use of the new Autofill feature in some cases but not in others. Frankly, I'm not sure that's an option technically. And it seems like a waste of a really awesome feature Apple has given us access to, just because it doesn't do everything we wish it did. By that logic, we would also eschew Safari extensions since we have a wishlist of improvements we'd like to see there as well. We can't have everything we want though, and that's okay. It's sort of what makes life — and technology — interesting and beautiful. :)

  • a1andreasa1andreas Junior Member

    They would have to use the "1Password..." button, as the suggestion was to not show any logins in Apple's Autofill UI if there is more than one matching the site. I'm not sure it would be a good user experience to allow use of the new Autofill feature in some cases but not in others.

    @Brenty: It seems like we disagree on what using the AutoFill feature means :)

    In my opinion, my suggestion still means that the AutoFill feature is used, both for sites with one login and with several logins. It’s just that this one part of the AutoFill feature, Apples list of logins, is not used.
    And in my opinion that is a good thing, because that is the only part of AutoFill that I think is not very good, and you happen to have a much better alternative in 1Password that is possible to use in place of the built in one in the way that I suggested, making the whole AutoFill feature better with 1Password than with iCloud Keychain or anything else.

    In practice this would make AutoFill behave the same way as using the password-fill keyboard shortcut on a Mac:

    • If I press the password-fill-shortcut on a site with only one login, that login is filled right away.
    • If I press the password-fill-shortcut on a site with multiple logins saved, it displays 1Passwords list of logins for this site, and lets me select the one I want to use.
    • Randomly filling a password would not be what I expected on a site with several logins, so it is a good thing that it does not do that, but displays a list instead.

    Doing what I am suggesting would make it work exactly like that on iOS to, but with the AutoFill-button above the keyboard being used in place of the shortcut on Mac:

    • Pressing the large password button above the keyboard on a site with only one saved login would fill that right away.
    • Pressing the large password button above the keyboard on a site with multiple logins would display 1Passwords list of logins for the site and let the user select the one to use. (Still using AutoFill to get to the 1Password list, and to actually fill in the password)
    • You would loose the option to fill a more or less randomly selected password with the AutoFill-button on sites with more than one login, but isn’t it more logical anyway to display a list when there are several logins, just like on a Mac?

    Frankly, I'm not sure that's an option technically.

    I can’t test all the parts of this, but after testing what I can test, and seeing how AutoFill behaves, I am still fairly certain that this is technically possible to do.

  • ntimontimo
    edited September 2018

    I think there needs to be a solution for this. I ran into the following problem. I have to mailserver I manage both are a setup under a subdomain of my domain and both have the same login username, now I have two entries in the iOS autofill ui and I never know which one is the correct one so I have to try both. This is bit inconvenient. Would it be possible to show the full domain the login is for in the iOS autofill ui, currently only the main domain is shown. This means hello.1password.com will show up as 1password.com.

  • brentybrenty

    Team Member

    @ntimo: That just isn't possible with iOS 12 autofill. But we can control the experience when you tap "1Password..." since that brings up 1Password's app UI. We can show the whole URL there. And that's something we can iterate on over time as well. :)

  • brentybrenty

    Team Member

    @a1andreas: "Autofill" is a feature in iOS which Apple added in iOS 11, which worked only for iCloud Keychain at that time, and they have since opened it up to 3rd party apps like 1Password in iOS 12:

    Password AutoFill (Apple developer portal)

    So you'll have to take it up with Apple if you you have an opinion about what it's called or how it works. :lol:

  • a1andreasa1andreas Junior Member

    @Brenty: Yes, that’s what AutoFill is.
    But then if 1Password uses that Autofill feature, but with the 1Password UI instead of Apples UI for listing available logins when there are several for one site (which is possible with the AutoFill API according to what I have described in previous posts), I would argue that it still counts as using AutoFill, and that it is a more powerful way of using the AutoFill API.

    If I understand you right, you seem to think that the users would somehow miss out on the AutoFill feature by doing it this way, which I don’t agree with because AutoFill is still used, also for filling out login information on sites with more logins. It’s just used in a slightly different and more powerful way.

  • brentybrenty

    Team Member

    @a1andreas: I think we're just arguing semantics at this point. It would be confusing for many people to tap the "key" icon for autofill and see no login credential listed when they know they have them saved. That's what I'm saying. Sorry if I've been communicating that poorly. :)

  • Interesting discussion. But I am still left wondering: What is Agile Bits going to do with the autofill problem? Would it be possible to select a login when there are multiple logins on several subdomains? That would be workable, yet not ideal. As it is now, the autofill option with 1Password in iOS is broken for anyone with several logins on various sub domains under one domain.

  • brentybrenty

    Team Member

    What is Agile Bits going to do with the autofill problem?

    @jarledb: I'm not sure what you're asking here. Rather than a "problem", I think Apple's Password Autofill feature in iOS 12 is kind of awesome. :)

    Would it be possible to select a login when there are multiple logins on several subdomains?

    I am able to select from different logins myself, so maybe we're not on the same page here. But if you mean showing the subdomain in the iOS 12 Password Autofill UI, that is not possible currently.

    That would be workable, yet not ideal. As it is now, the autofill option with 1Password in iOS is broken for anyone with several logins on various sub domains under one domain.

    Not really, but certainly there's always room for improvement. However, we do not have control over iOS UI at all. You can, however, tap the "1Password..." button as mentioned above to access 1Password's UI, and you can see subdomains there:

    Cheers! :)

  • Does 1Password work on iOS 12? Yes. But for me and many more that have the same username and different passwords on multiple subdomains the new Autofill feature does not.

    Or have I missed some way of making it work, other than not using it?

Leave a Comment

BoldItalicStrikethroughOrdered listUnordered list
Emoji
Image
Align leftAlign centerAlign rightToggle HTML viewToggle full pageToggle lights
Drop image/file