Subdomains and iOS12 autofill

2»

Comments

  • AGAlumB
    AGAlumB
    1Password Alumni

    @jarledb: Yes. Please seen my comments and screenshot above.

  • jarledb
    jarledb
    Community Member

    Is there any way I can share some screenshots and a video with you privately? I don't want to share usernames and urls here.

  • craig_francis
    craig_francis
    Community Member

    Just so I/we can understand the iOS implementation...

    The documentation that Apple provides:

    https://developer.apple.com/documentation/security/password_autofill/

    Links to the information on the "AuthenticationServices framework" for the "credential provider extension":

    https://developer.apple.com/documentation/authenticationservices

    It's been about 5 years since I've done any Objective-C, and I don't really understand this quite basic/minimal documentation.

    Would it be possible for one of the 1Password iOS developers to explain how 1Password interacts with iOS?

    I'm not sure if:

    1. 1Password provides a full list of accounts to begin with, iOS keeps that on record, and will only ask 1Password for the password when the user selects the account.
    2. When someone focuses on a login form in Safari, 1Password is asked to return a list of logins at that point.

    I'm assuming it's the second approach, as that avoids synchronisation issues.

    In which case... when 1Password is being asked for a list of logins:

    1. What do you get told? I'm assuming you're told the full domain name,
    2. What do you return? I'm assuming the username and the partial domain name (TLD); not the password, as that's provided after the user selects the account they want.
    3. Does the order of the logins you return matter? and if so, is the first one returned the default one shown?
  • Good morning, Craig. It’s actually the first one. We provide iOS with a full list of usernames and the fully qualified domains with which they are associated. When you tap into a form iOS shows all the top-level domain matches.

  • AGAlumB
    AGAlumB
    1Password Alumni

    @jarledb: Sure! Shoot us an email at [email protected] and post the Support ID you receive here. :)

  • maikm
    maikm
    Community Member

    I'm also frequently bitten by the lack of subdomain and port number matching. 1Password usually presents me with dozens of logins that don't apply.

    Proposal for a matching "algorithm" that probably doesn't break anything for anybody:
    1. try matching subdomain and port number (if port number is different from 443 or 80)
    2. if no exact match, try without port number
    3. if still no match, only then search for all domain items, ignoring the subdomain, or whatever you do currently.

    What I don't understand is why presenting an exact match would only if present would break anything for anyone.

  • a1andreas
    a1andreas
    Community Member

    @maikm I like your suggestion!
    Even better with port number matching too, as you say. That would be very useful for me to.

  • AGAlumB
    AGAlumB
    1Password Alumni

    As mentioned previously, the iOS 12 Password Autofill feature works only with the domain, not subdomains or port numbers. We can consider making changes to how 1Password itself presents matches, but that will not impact the topic of this discussion.

  • steve28
    steve28
    Community Member

    I hope something can be done, because this is useless:

  • AGAlumB
    AGAlumB
    1Password Alumni

    @steve28: Sorry, what's the problem?

  • steve28
    steve28
    Community Member
    edited September 2018

    @brenty Can you tell me which one of those listed accounts is for router.mydonain.com?

    Edit: I know it's not a 1P limitation - it's an iOS one. I'm hoping that Agilebits has more pull with Apple than I do through https://apple.com/feedback (which I submitted)

  • AGAlumB
    AGAlumB
    1Password Alumni

    @steve28: If you tap "1Password..." at the bottom there, as suggested above, what do you see?

  • steve28
    steve28
    Community Member

    @brenty of course then I get a properly ordered list. My point is that I hope you are lobbying Apple to fix it so it works without needing the extra step

  • AGAlumB
    AGAlumB
    1Password Alumni

    Ah, gotcha. I don't think they necessarily have to listen to us, but we have shared feedback with them. Cheers! :)

  • maikm
    maikm
    Community Member

    We can consider making changes to how 1Password itself presents matches, but that will not impact the topic of this discussion.

    @brenty I realize this discussion is about the iOS 12 autofill, but I was referred here by your twitter account where 1Password matching was the topic:

    Anyway, wouldn't the iOS 12 autofill list become much shorter as well if 1Password would apply stricter matching (as proposed earlier here) before handing the result list over to the operating system?

  • AGAlumB
    AGAlumB
    1Password Alumni

    I realize this discussion is about the iOS 12 autofill, but I was referred here by your twitter account where 1Password matching was the topic:

    @maikm: No worries. Thanks for the context. :)

    Anyway, wouldn't the iOS 12 autofill list become much shorter as well if 1Password would apply stricter matching (as proposed earlier here) before handing the result list over to the operating system?

    Sure, but that isn't possible. The OS alone handles this feature. Sorry. :blush:

    As mentioned above,

    That just isn't possible with iOS 12 autofill. But we can control the experience when you tap "1Password..." since that brings up 1Password's app UI. We can show the whole URL there. And that's something we can iterate on over time as well. :)

    So if you have feedback about 1Password's UI, that's something we can evaluate along with everyone else's. :)

  • craig_francis
    craig_francis
    Community Member

    Completely forgot to check... any news on this?


    My current/temporary work around

    While you should continue to use 1Password (it's still the best)... for websites on multiple sub-domains, the iOS password manager handles this situation perfectly.

    Assuming you're on iOS and/or MacOS for everything (including Safari on MacOS), you could store those passwords in the Apple KeyChain instead.


    As to why it happens

    iOS asks the installed password managers for a list of usernames and related domains - so it can list them when you're trying to login to a website.

    1Password should provide the full domain name, so iOS has enough information to make an appropriate selection (i.e. so it can show the full match first).

    For some reason (something todo with the 1Password storage system?), when 1Password is exporting this list, it does not include the sub-domains.

    For example:

    • blog.1password.com
    • support.1password.com
    • email.1password.com

    These are all sent to iOS as "1password.com", so iOS has no idea which login is the best match (to show the first entry), or the order to list them when there are multiple logins (either a full match, or partial).

    As to where this comes from... well, I discussed it with Ricky Mondello (who was heavily involved in the iOS side) and Jeff Goldberg (from 1Password), at the Passwords Conf, in Stockholm, at the Clarion Hotel, November 2018 - I had assumed it was an iOS problem (because of this thread), but Ricky was sure the iOS side should work (and it does), and it's 1Password not providing the sub-domain :-(

  • TazG
    TazG
    Community Member

    I've been banging my head against the wall because of this for a very long time. I'm glad to see it's a known issue. I've got a domain with at least 16 subdomains, and each has different login credentials. Man-o-man, it's a frustrating experience trying to use 1Password on any of those sites.

  • ag_ana
    ag_ana
    1Password Alumni

    Not yet @craig_francis, sorry! But thank you for taking the time to share your feedback and suggestions with the other users :+1:

  • ag_ana
    ag_ana
    1Password Alumni

    Sorry about this @TazG! We will continue working on this to see if there is anything we can do to improve it :+1:

  • TazG
    TazG
    Community Member

    Thanks @ag_ana! Any improvement would be welcome and appreciated! :)

  • ag_ana
    ag_ana
    1Password Alumni

    You are welcome @TazG, anytime :)

  • steve28
    steve28
    Community Member

    @craig_francis - that would explain it. This whole time, 1P claimed it was a limitation of the OS.

    I mentioned this in another thread as well... but BitWarden is able to do this. I, as well, have, about a dozen account on the same domain with different sub domains. In That scenarios BitWarden is able to auto-fill the correct one displaying a list of indistinguishable entries.

  • This whole time, 1P claimed it was a limitation of the OS.

    To be clear: we intentionally don't provide the subdomain to iOS. That decision was made based on limitations in the autofill API.

    Ben

  • a1andreas
    a1andreas
    Community Member

    To be clear: we intentionally don't provide the subdomain to iOS. That decision was made based on limitations in the autofill API.

    I don't get what you mean here really. Others (BitWarden) are obviously doing this now, so there is no limitation in iOS that prevents it from being done, even though there might have been previously.
    So I hope you mean that the old decision was based on previous limitations, but that the decision can now be reconsidered, as this is now possible to implement?
    It would be very disappointing if you still don't implement this, even when it's proven that it can actually be done. This is easily the main missing feature in 1Password to me, and something that alone makes me think about switching to something else, even though 1Password is otherwise very good.
    It would probably also be much easier to accept if you would still not implement it if you give an actual relevant reason for not doing so.

  • @a1andreas

    At least one of the difficulties is/was that if you sent the FQDN w/ subdomain to the autofill API, it wouldn't offer that Login item at all on the bare domain. For example, if I had saved a Login item for discussions.agilebits.com it wouldn't be possible to fill that item on agilebits.com, which causes at least as many problems as providing only the bare domain.

    Ben

  • a1andreas
    a1andreas
    Community Member

    @Ben To me that would be the whole point of it, and exactly what I would want from this. I only want to see things that matches exactly the domain I have entered, simply because iOS doesn't show which domain the login is supposed to be for, so there is no other way to see that.
    There used to be an option for exactly this (I think it was called "exact matching" or something like that) in older versions of 1Password for Mac.
    That was eventually replaced by simply always showing everything, but ordered really well after relevance, and with all needed info right in the list, and that is of course even better, but without that possibility on iOS I don't know why it would be worse to solve this problem with an option like this on iOS then it used to be on Mac before the better solution was available/possible?
    So, an option for that maybe? Please? 🙂

  • Ben
    Ben
    edited June 2020

    To me that would be the whole point of it, and exactly what I would want from this. I only want to see things that matches exactly the domain I have entered

    I understand. That isn't a compromise that we're willing to make. As I say, it causes at least as many problems as it might solve. Being able to use the same credentials on various subdomains (and the bare domain) is equally common as having separate credentials for each. One such example: I use Google's G Suite. Google puts the admin interface for G Suite on a different subdomain than email. The admin interface is at admin.google.com whereas the email interface is at mail.google.com. The same credentials work for both. I want to be able to fill my G Suite login item on any google.com domain. If we implemented this change, I'd either have to have a bunch of different Login items for each Google subdomain, or have a bunch of websites listed on one Login. As it is, I only have to have one Login item, and putting google.com in the website field is all I need.

    Changing this would break what is currently working for a large percentage of the customer base. Suddenly I wouldn't be able to see my G Suite credentials when visiting admin.google.com.

    So, an option for that maybe? Please?

    The bar for adding an option is pretty high. If you do a search of this forum for "add a preference" you can get some idea why. That isn't to say we absolutely won't, but we haven't reached that threshold yet.

    Ben

  • a1andreas
    a1andreas
    Community Member

    @Ben Ok, I’m sorry to hear that, but thanks for the clarifications anyway.

  • You're welcome. :)

    Ben

This discussion has been closed.