Filling in NemID using 1Password X

Hi AgileBits.

I have a problem using your extension 1Password X to fill in NemID.

All banks in Denmark have more or less the same form of authentication. NemID.
Sydbank: https://www.sydbank.dk/privat
Danske Bank: https://danskebank.dk/privat
Contact with the danish authorities (For moving, choosing a doctor and picking a school for your kids): https://www.borger.dk/
3.rd party sites can also get NemID embedded in their system in order to verify that the user is real.

Loginpages
Danske Bank: https://danskebank.dk/en/personal/help?n-login=pbnetbank
Sydbank: https://portal4.sydbank.dk/wps/portal/sydbank-dk/NemIDJS
Borger.dk: https://nemlog-in.dk/login.aspx/noeglekort

You can read about NemID here: https://www.nemid.nu/dk-en/
The people behind NemID are Nets: https://www.nets.eu/dk-da

In January 2017, the NCSC commented on the use of password managers (positivly)
https://www.ncsc.gov.uk/blog-post/let-them-paste-passwords and a danish technical media asked the danish system about it: https://www.version2.dk/artikel/britisk-cybertjeneste-kodeords-blokering-nemid-app-daarlig-ide-1076987
The response from the danish system was (My translation, the danish version can be read in the article)
It's important that ones password is protected as best as possible. One of our securityfeatures is amougst others that you can't copy paste passwords into NemID login-fields. The choices of our security choices cannot be explained due to the security in the solution.

I have looked into "Don't Fuck With Paste"(https://addons.mozilla.org/en-US/firefox/addon/don-t-fuck-with-paste/) and I can now paste passwords, but I would very much like to avoid extensions like that.

The "NemID" has already been discussed in another topic in this site, but that was for the iOS version of 1Password.
https://discussions.agilebits.com/discussion/79959/1password-for-ios-can-not-fill-forms-based-on-nemid

Currently I use 1Password X which actually finds the fields, it just can't paste anything into them..

So AgileBits, could you please look into adding support for this? Or maybe tell me how to do it? I know that the Javascript code is very obfuscated since they think it makes it much more secure...
This could potentially help a lot of danes using your product.


1Password Version: Not Provided
Extension Version: Not Provided
OS Version: Not Provided
Sync Type: Not Provided

«1

Comments

  • Hello, @spuc! 👋

    Thank you so much for the incredibly detailed post about NemID.

    One idea is we could potentially add NemID as a field within Identities. Another idea which is probably more useful is to allow you to add a custom NemID field to your logins and include it during filling when you select that login.

    From the sounds of things, however, this goes against the NemID terms of service:

    Your code card must not be digitalized
    
    * Your code card is personal to you and must not be made available to anyone else.
    * Never keep your code card together with your password. According the the NemID rules your are not allowed to write down your password.
    * You will automatically be sent a new code card before you have used all the codes on the card.
    * If you lose your code card or suspect fraud, you should immediately block the card.
    * You must not copy, photograph or digitalize your code card.
    

    So I don't think they'll be offering to help either of us with this solution. 🙂

    We'll look into the custom fields idea further and hopefully that will work for you. In the meantime, I think you'll be able to manually fill in your NemID and save it as a new login. This should allow you to fill the form again as we don't use copy-and-paste during filling.

    I hope that helps. Give it a go and let us know how it goes.

    ++dave;

  • spuc
    spuc
    Community Member

    Hi @dteare

    As you might know, NemID is somewhat 2 factor.

    • Username + Password
    • Code from printed card or Accept button in NemID app.

    Actually I was just talking about the filling out of the webform.
    I couldn't get the automatic fill to work on NemID. But somehow after deleting the username and reinserting it again, it now works on some of the NemID login-forms.

    But on other pages, only the username fill works.
    I can show it to you here:
    https://www.youtube.com/watch?v=ldFJNApSvrs
    Tried the NemID form on the page: https://portal4.sydbank.dk/wps/portal/sydbank-dk/NemIDJS

    I'm using Firefox 62.0.3 with 1Password X extension version 1.11.0

  • littlebobbytables
    littlebobbytables
    1Password Alumni
    edited February 2019

    Hi @spuc,

    Here's my take on NemID. I created a basic Login item and then I added a whack of website fields, five in total and they were.

    1. https://applet.danid.dk/
    2. https://nemlog-in.dk/login.aspx/noeglekort
    3. https://portal4.sydbank.dk/wps/portal/sydbank-dk/NemIDJS
    4. https://danskebank.dk/en/personal/help?n-login=pbnetbank
    5. https://www.borger.dk/borgerapi/PerformLogin?idPItemId=96a32866-df0a-4e8c-a072-0765f2b44823

    The first is the iframe loaded by each site for the actual NemID sig-in form. The second is the destination link for www.borger.dk but I found it didn't like being loaded directly. After that are the URLs for the three sites you mentioned. You need all of them for filling to happen at all on each site but the last three also have the property that they could be used with open-and-fill.

    Now I found the sign-in page at nemlog-in.dk worked well and I got the expected prompts from 1Password X and everything filled. sydbank.dk and danskebank.dk on the other hand weren't quite as willing to work but with a bit of prompting I could get 1Password X to fill. What I had to do was if clicking on the username field didn't result in the 1Password X icon appearing in the field I would right click and select the Show 1Password contextual menu option. Once 1Password X appeared I could fill the field. Sometimes clicking on the password field would then see it fill with no further action, sometimes I would have to go through the same steps. Whilst certain more steps than it ought to take 1Password X could be prompted and would fill both fields. I would be interested to learn if you find the same.

    Clearly we still have work to do here. 1Password X repeatedly failed to identify the fields as it was meant to across the various examples and it should be consistent considering they're all loading the same iframe. Hopefully the ability to fill with 1Password X will help to make up for this a bit while we work this out though.

    ref: x/b5x#617

  • relausen
    relausen
    Community Member

    I'm having trouble with portal4.sydbank.dk too. Funny thing is that on my old Mac running High Sierra and 1Password 6.8.8, it works fine!

  • littlebobbytables
    littlebobbytables
    1Password Alumni

    Hello @relausen,

    So I haven't visited the page since I last replied to this conversation back in 2018 so it was time for a refresh. What I found was my Login item from before still worked but that there were still caveats for the https://portal4.sydbank.dk/wps/portal/sydbank-dk/NemIDJS URL.

    1. Load the page as you normally would.
    2. Ensure keyboard focus is on the username field. This seems to be the default.
    3. Click the 1Password X button in the browser toolbar and fill from the toolbar menu.
    4. Either use the tab key or click on the password field.

    Now I've experienced two different behaviours here. Sometimes 1Password X will automatically fill the password field and from there you should be able to sign in. If it doesn't, with keyboard focus on this field perform step 3 again.

    My testing suggests that even if you need two fill instructions, 1Password X should eventually fill both fields. We still have work to do to improve this, after all it really should just take a single fill command given both fields but so far I've managed to coerce 1Password X to fill both fields.

    If you're still having trouble can you describe what you're trying and how it is failing please and I'll see what we can learn.

  • ldbr
    ldbr
    Community Member

    Hi!

    I'd just like to chip in here as well :-)
    I'm using another bank than the previously mentioned, where I've never been able to get 1Password X to fill the password, no matter which approach I try. Sometimes I can get the username filled, but that's about it.

    The link to the bank is here:
    https://portal4.erhverv.djurslandsbank.dk/wps/bankdata/jsp/html/da/PortalFrame.jsp?danid=true

    If I can in any way help out with any more testing, please let me know, as I'd love to :-)

  • kaitlyn
    kaitlyn
    1Password Alumni

    Hi @ldbr! 👋

    Thanks for reporting this to us. As much as I wish we could behave better here, I'm struggling to come up with a solution. I took a look at the HTML for the NemID form, and they're using five different password fields all placed on top of each other. I couldn't tell you why that is, and I'm not really sure what it accomplishes, but it's definitely not doing 1Password any favors. It doesn't stop there, either. The HTML name/ID of each of the password fields are long strings of characters, which change each time the page is loaded. That significantly increases the difficulty for a password manager. I was able to get an item filling the password, surprisingly, but I wasn't able to get it filling consistently enough to even recommend it to you. It'll fill maybe once or twice, then I continue to refresh the page, and it's back to square one. I truly think your best bet here is to click and drag your username/password from the 1Password X pop-up to the proper fields. If you need any help with that, please let me know. I've also passed your report along to our developers so they can continue to investigate.

    ref: dev/core/core#890

  • ldbr
    ldbr
    Community Member

    Hi @kaitlyn !

    Thank you very much for taking your time to reply :-)

    You just got me excited there for a second, as I didn't know about the "drag and drop" variant. However, unfortunately I couldn't that to fill either.

    I did dig into the HTML myself, and found the same you did; multiple password fields, with unique and randomized IDs. Yay :frown: NemID has always (in Denmark) been known as using a lot of "security by obscurity", so this is probably just one of those cases as well, since everybody knows that security by obscurity is the way to go... :)

    I'll see if I can come up with a solution, and if I do, I'll let you guys know :-)

  • ag_ana
    ag_ana
    1Password Alumni

    Sounds good @ldbr, thank you :+1: :)

  • micvbang
    micvbang
    Community Member

    I just posted an extension on the Chrome store that lets you paste data in the NemID applet: https://chrome.google.com/webstore/detail/nemid-paste/cnfplfabjimdldldakmnolmgooflgpml

  • ag_yaron
    ag_yaron
    1Password Alumni

    Thanks for sharing @micvbang !

  • elisabeth_zinck
    elisabeth_zinck
    Community Member

    Hi everyone,

    I just changed from lastpass to 1password, and I am a frequent user of NemID (as all Danes are...). It sounds like NemID truly has made life difficult for password managers, but somehow the lastpass extension for chrome worked like a charm with NemID. So I just want to say, that there must be some way to get it to work. :)

  • ag_yaron
    ag_yaron
    1Password Alumni

    Hey @elisabeth_zinck ,
    Thanks for the update! We'll take another look at it and see if there's something we can do that won't require big changes to 1Password.

    Thank you :+1:

  • primdahl
    primdahl
    Community Member

    +1 on taking another look please, Safari's native password manager works for NemID as well but I'd absolutely love to stick to 1Password and avoid browser lock in

  • ag_yaron
    ag_yaron
    1Password Alumni

    Thanks for chiming in @primdahl .

    We've implemented a fix internally for NemID, hopefully it will reach out to all of you in the next couple of updates! :+1:

  • Lit7
    Lit7
    Community Member

    Any news on this?? I just startet my trial period on 1Pass, and to my surprise I couldnt get NemID to work, which I have to use every single day.. So its a huge dealbreaker. The built-in chrome password manager works without any issues though.

  • @Lit7

    We've made some changes in our beta version of 1Password for your browser, which might improve your filling experience with sites that use NemID. Would you be willing to give it a try? You can install it from here.

    Let me know how it goes, or if you have any questions.

  • Lit7
    Lit7
    Community Member

    @ag_chantelle The beta works great, thanks!

  • ag_ana
    ag_ana
    1Password Alumni

    That is great to hear @Lit7, thank you for letting us know :)

  • gyihasz
    gyihasz
    Community Member

    Hello there,

    I updated my 1Password to Beta version, but I see no change regarding NemID.

    I tried to add the iframe URLs in every possible format, but it doesn't work.

    [It only works if I save the password to the concrete website, which is not really helpful, since each and every month if you buy a ticket on a new website or sign a paper with your NemID or just change one of your providers (bank, internet, insurance, etc.) you have to save all the websites.]

    Am I doing something wrong? Maybe I set up the NemID in 1Password the wrong way.
    Let me know if I should retry with different settings.

    My setup:

    • MB Pro late 2014 (Big Sur, 11.6)
    • Google Chrome v93.0.4577.82 (Official Build) (x86_64)
    • 1Password Chromer addon (Beta) - 2.1.0
    • 1 Password macOS (Beta) - 7.8.8.BETA-1
  • gyihasz
    gyihasz
    Community Member

    @Lit7
    What did you do to make it work? :dizzy:

  • ag_yaron
    ag_yaron
    1Password Alumni

    Hey @gyihasz ,

    I believe this can only work properly if you save a login item directly on the page with 1Password's help. It won't work if you manually try to build login items in the app/extension and filling all the fields there yourself.

    When you save a login directly on the page, 1Password records the entire page's structure, where each field goes and what needs to be autofilled in it.
    If you save a login directly on the page, does it work?

    For example:

    1. Go to one of the logins where there's a NemID form.
    2. Fill in your username and password into the fields.
    3. Right-click the 1Password icon on the top right corner of your browser and select "Save Login".
    4. Make sure to save it as a brand new login, do not update the existing login you already have in 1Password.
    5. Refresh the page and see if the new login item works correctly and allows you to autofill the page.

    In case it still doesn't work, share the link of the website here so we can test it as well.

  • gyihasz
    gyihasz
    Community Member

    Hi @ag_yaron,

    I deleted my DIY items from 1Password and I tried what you suggested.
    I think I wasn't clear enough on how NemID is used and works. NemID is a universal login across multiple platforms.
    With NemID, you log in to all your providers like banks, insurance companies, national institutes, universities, etc.

    What I did now, according to your suggestion (this is also a way for you to reproduce the issue):

    • Go to al-bank.dk
    • Click Sign-in, then click Netbank
    • I entered my NemID credentials
    • I saved it in 1Password
    • I refreshed the page, and then it fills in the stuff. Super good so far.
    • Now I navigate to danskebank.dk
    • I click sign-in, then click Netbank
    • And 1Password has "No suggestions" for the exact same NemID iframe, since it is only connected to "al-bank.dk" + "applet.danid.dk" (the latter is the URL of the iframe)
    • And of course, the same is true if I navigate to any other provider's website. NemID won't be filled automatically.
    • I'm not going to save my NemID stuff on more than 20+ websites, if Chrome's default password manager can do it. :cry: -

    I'm happy to help and provide any info on this, I'm also happy to jump on a video call if a demonstration is needed.
    I'd like to solve this issue because I want to set up my family members with 1Password, but I need this thing to work before that.

    Thank you for the help!

  • ag_yaron
    ag_yaron
    1Password Alumni

    Thanks for clarifying @gyihasz ,

    1Password can only suggest autofilling of a login item if the URL in your browser's address bar is identical to the URL that is found in the login item. If you want, you can add "https://danskebank.dk" to the new login item you just saved by editing the item, selecting an empty "website" field under the existing URLs and add that additional URL there. You can do this for as many websites you like. Save your changes when you're done, then 1Password will suggest autofilling that login item on danskebank.dk and any other website you've added to the login item.

  • gyihasz
    gyihasz
    Community Member

    If this is the only way for using NemID with 1Password, then I predict a lot of sad danish customers. Everyone in Denmark uses NemID, since this is the official, nationwide identifier for you to use the previously mentioned services (recap: everything, including such little things as a TV subscription). :cry:

    I still believe that this PW manager is most likely the best on the market, however, this problem is such a big pain, and I'm sorry, but I can not understand why it can't detect that iframe, since it already saved the address of that iframe by itself... (So it did actually find that iframe in the page, and it did detect it's URL. Then why is it a problem to find it when it is actually on the page?)

    What you described is exactly what I'd like to avoid, because there are endless websites where you log in, sign, confirm, etc. with your NemID. :cry:

    Is there a possibility to open a feature request for this? :cry:

    I hate to be the "Thursday morning complaining customer". :D
    I just can't believe that such a nice product stumbles on such a small thing. There must be some kind of a solution because it works so well in all other cases.

  • ag_yaron
    ag_yaron
    1Password Alumni

    Hey @gyihasz ,

    NemID's forms are quite different on every website. If you inspec the fields in your browser's developer tools you'll see that no two NemID forms are alike (even though graphically they look identical, their HTML code is quite different).

    1Password will work like you want it to if you just add the relevant websites URLs into the same login item, which is just an extra step from any other login item that you use in 1Password. Up until very recently, NemID didn't work at all with 1Password and autofilling wasn't a thing there, and we have improved things as much as we could to get 1Password working and autofilling on that form.

    I'll forward your request to our development team and see if there's anything else we can improve here, thanks for bringing it up and sharing your feedback :)

  • Lit7
    Lit7
    Community Member

    @gyihasz Yes, what I meant by it works is that it atleast shows up in the forms now with the beta, but you still have to manually save it on every website. The chrome built-in saves it on every website that uses NemID. With 1pass, I took the hassle to login every single website I could think of manually saving them to each one. I know majority of people in Denmark wont be doing this and just stick with chrome built-in or another password manager, so hopefully 1Password will get more familiar with NemID and add the features soon.

  • MerryBit
    MerryBit
    Community Member

    I empathize with @gyihasz , but keep in mind that this is a problem that will resolve itself before next summer where NemID will be replaced by MitID which is considerably more password manager-friendly.

  • ag_yaron
    ag_yaron
    1Password Alumni

    I think I may have been misunderstood here.

    You only need a single login item saved from a website with NemID.
    Then, instead of saving more logins for each website, simply edit the existing login you have and add all other websites links to it. You will end up with a single login item that contains a bunch of links to websites with NemID and it should work on most, if not all of them.

    @MerryBit I’m glad to hear NemID will be replaced with something friendlier! That’s great news.

  • MerryBit
    MerryBit
    Community Member

    @ag_yaron In case you want to test how well 1P works with MitID, you can go to the link below and try it out for yourself:

    https://www.mitid.dk/en-gb/?language=en-gb

    It's only the first screen that 1P needs to work with, the following screens will require input from a second factor that is external to 1P, i.e. not something you can store in 1P.

This discussion has been closed.