Search form on autofill screen

I'm with @koraykupe here.

Not having a search box makes approx 1/5 of my attempted 1Password entries tiresome and clunky, rather than simple and intuitive. Doesn't sound like much until you use it dozens of times per day.

@Ben , your suggestion involves a multi-step process of:

• if at a web page, cancel log-in attempt and copy URL
• exit the app/web page in which you're attempting log-in (OrigApp)
• navigate to and open the 1Password app
• biometric or password log-in
• search for existing Login
• either creating a new Login, copy existing Login's password to the clipboard, or adding the log-in URL to an existing Login (which, how do you do when logging-in to an app and not web page?)
• app-switch back to OrigApp and start the password entry via 1Password again

OR, put a search box at the top and let us choose which Login to use (even if it means that 1Password needs to create a new Login with the same credentials...fine).

I really dislike opting to use iCloud keychain in these instances because it's just easier, but often end up doing exactly that, then manually backfilling the info to 1Password. Decidedly NOT simple and intuitive.

This seems like such a simple fix. Maybe there's an, "at your own risk because of x, y, z..." warning dialog if you start typing in the search. Or a toggle switch in 1Password settings that comes with warnings of dire consequences.

I really don't see the security concern here. Certainly not one that should be controlled/imposed by the app.

This is an individual making a conscious decision—verified by their entry of biometric or password login—to use one of their existing passwords. A release of liability for 1Password, if you will. If I decide to enter the same password in every app and website, that's my prerogative and I'm able to do so. Not a smart move, but nobody (nor the 1Password app) will prevent my doing so. So why is this different or more of a security risk? A "We've done all we can to keep you from making bad decisions, now go out into this brave new world!"

Prior to iOS 12's integration of external password managers, at least you went in knowing that you would have to copy/paste and could preemptively do so. While I greatly enjoy the integration and have no wishes to roll back to that older method, at least there was a reliable consistency there. While not ideal, expectations were consistently met. Now, even knowing I already have an existing Login for an app/website, there's no guarantee I will be able to use it.

Regards,
dt

@Ben

I suspect that'll be less convenient than adding multiple website fields to existing login items, as whenever you go to change a password for one of these 'duplicates' you'll have to update the credentials in multiple spots.

Excellent point. Noted!

Thanks.
dt

It is an anti-phishing technique. It prevents things like the following scenario:

1. Search using a search engine for 1Password in an attempt to log in to 1Password.com
2. Accidentally click on the result for iPassword.com instead
3. No login items appear because none are saved for iPassword.com.
4. "I know I have a login item for 1Password.com! I'll just search for it and fill it that way."
5. 1Password.com credentials are filled into iPassword.com

It prevents the user from searching for the entry in that way, but it certainly doesn't prevent that kind of phishing from working; it just forces the user to do even more work. Do you have evidence that having a more convenient search mechanism actually results in more people getting successfully phished, or is that just supposition?

The critical thing here is getting the user to think twice about whether or not they should trust the app or website they are trying to enter their credentials into, rather than how much work they have to do once they've decided to enter those credentials. I would expect an explicit warning to be more effective at getting users to think twice before entering credentials into a website or app that doesn't match the stored domain name.

On the Android app, I can search, but once I've selected the entry to use, I get a warning:

"1Password can't verify that App Name should have access to your Entry Name login. Do you want to fill it anyway?"

This means I do less work switching back and forth between the apps, which might mean that I'm less distracted and impatient when I'm confronted with that warning, and more likely to read it and take it seriously. I do think it would be better if the highlighted, obvious button was CANCEL instead of FILL, so I would have to think more to use it, though.

The critical thing here is getting the user to think twice about whether or not they should trust the app or website they are trying to enter their credentials into, rather than how much work they have to do once they've decided to enter those credentials. I would expect an explicit warning to be more effective at getting users to think twice before entering credentials into a website or app that doesn't match the stored domain name.

On the Android app, I can search, but once I've selected the entry to use, I get a warning:

"1Password can't verify that App Name should have access to your Entry Name login. Do you want to fill it anyway?"

Seconded!