two factor authentication has terrible user experience - need website standards

1Password does a great job in filling name/password, in every browser and website I use. :)

But my TFA experience is terrible. I use three sites with TFA, and they are very different:
1. Has 3 fields on login screen: login/password/TFAcode. It takes a whole bunch of mouse clicks and typing, because CMD-\ or clicking on the 1PWmini entry gets "login failed", and I must go back, search for the login in 1PWmini, copy the password, paste it into the field, search for the login in 1PWmini, copy the TFAcode, paste it into the field, then click "Login".
2. Has 2 screens: login/password, then TFAcode. This works better: CMD-\ or click on the mini entry, then click "paste" into the field and click "Continue".
3. In a Terminal window: ssh [email protected], then enter password followed immediately by the TFAcode. I must copy-and-paste the password and TFAcode separately; probably the best that can be done (unless you add a specific button to copy password+TFAcode to the Clipboard).

Is it possible to set up standards that website designers can (and will) use so TFA programs like 1Password can provide a better user experience among all sites using TFA?

More specifically, can 1PWmini be enhanced to recognize the 3-field page and fill in all 3 fields?

Note this would be much simpler if all sites using TFA simply concatenated the password with the TFA code, in a single field. And you added a button for that, or 1PWmini recognized it.


1Password Version: 6.8.9
Extension Version: Not Provided
OS Version: OS X
Sync Type: Dropbox
Referrer: forum-search:two factor authentication

Comments

  • ag_sebastianag_sebastian 1Password Alumni

    Hi there @tjrob! :)

    Thanks so much for explaining all three cases. While I don't think there's much we can do for cases 2 and 3, perhaps we can do something to improve the experience for the first case, with three fields. Would you be able to share the URL of the site (if it's public)?

    Is it possible to set up standards that website designers can (and will) use so TFA programs like 1Password can provide a better user experience among all sites using TFA?

    Oh, how I wish that was the case, it would make our job so much easier! :) Even though plenty of standards (best practices, really) are in place for login forms, there's nothing stopping developers from making up their own login form, especially because web browsers are very forgiving when it comes to HTML. The only thing we can do right now is try to keep up. ;)

  • tjrobtjrob
    edited January 2019

    The case 1 URL is: https://nim.nersc.gov/loginform.phtml
    You won't be able to log in, but you can see what fields are in the form.

  • Hi @tjrob,

    Will we ever have decent standards to help with 2FA? I don't know. The autocomplete attribute which would be an excellent place to add this seems to get intentionally misused more than it gets used properly although some developers do appreciate the intent and use it properly. Still in the last couple of months alone I've seen three separate sites use the designation new-password for the username field on the sign-in page which at least makes a change from simply trying to disable assisted filling via autocomplete="off".

    Now it won't help our 1Password 6 users but I visited the page you linked us to and created a test Login item in 1Password 7. After adding a 2FA field to the custom fields 1Password correctly filled all three fields on the first go. That could very well tempt you to update and if you're curious our support page Upgrade to 1Password 7 for Mac details not just the two methods of obtaining 1Password 7 but also a link to all the new things in it so you can see if you want to make the move. It is a paid update though unless you're already a 1Password account user (our subscription based service).

    For 1Password 6 the best I can suggest is to disable the submit feature for that one item, that way 1Password won't submit the partially filled form and will allow you to paste the current 2FA code into the field that if you have stored in 1Password will have been copied into the macOS clipboard. To disable the submit option on a per Login item basis edit the item and locate the now visible option titled submit. The default setting is Submit when enabled, change it to Never submit and save.

    If you have any questions about either 1Password 6, 1Password 7 or our 1Password accounts please let us know.

This discussion has been closed.