How do I setup passwords for "chained challenges", where you first login, followed by a second pwd?

CitiManager, for instance, first requires you to login, then it sends back a preset,
but random question for you to answer, as an additional password. This isn't
seem like 2FA, with an SMS or authenticator, the questions are prefilled.

with 1password6, I had an entry for each question that I could use to autofill.
With 1password7, it seems to remember the previously used entry for the site, so I cant select another;
I have to get it wrong, then reselect the current best one.


1Password Version: 1Password for Android v7.3
Extension Version: Not Provided
OS Version: Android Version 10
Sync Type: 1password account
Referrer: forum-search:chained challenges

Comments

  • Hey @kv3! It sounds like you're referring to what are typically called security questions. Is that right? Typically we recommend storing these as custom fields all within a single Login item. Having multiple Login items all for the same website sounds like a lot of work to me! You wouldn't be able to autofill these, in this case, but they're easily referenceable from 1Password mini or 1Password X, depending on which extension you're using.

  • kv3
    kv3
    Community Member

    Hi ag_michaelc, thanks for the response. Yes, these are security questions.
    Your approach works on a regular computer browsing to their web site.

    It doesnt work as well though when accessing via my mobile device.
    For wahtever reason, citimanager requires to login every visit, and then brings up a separate screen with the security question.

    Kannan

  • kv3
    kv3
    Community Member

    One more thing, my answers to these security questions are no longer a consistent value: for instance, my mothers maiden name in one site could be "predatory panda" and in another "personable python". Reduces my exposure surface, that something like 1Password makes somewhat easy, somewhat not. Hence it is actually useful and important to get
    a) autofill, and (b) no stickiness assumptions.
    Ideal autofill would be if it came from the custom fields page.
    The stickiness assumption seems to be something from 1password7(I dont recall seeing it in v6). 1P7's first choice is to present the same login item for the page, based on the last question asked, which may not actually be the right thing for me.

    If you could give me a "Security Questions" section that contains custom fields in which I set the key, and 1P7 manages the values as passwords (generate and present choices, then autofill), that will go a long way.

    Thanks @ag_michaelc,

    Kannan

  • ag_yaron
    ag_yaron
    1Password Alumni

    Hey Kannan,

    If the security question is on a different page than the username/password form, then it might be a bit problematic, especially on mobile.
    The best suggestion I can think of at the moment is to save every security question as a new login, and then try to autofill it by selecting the correct login. Can you give that a try?

    Your suggestions are good, but security questions are rather a dying breed of authentication and I don't think efforts and resources will be put into our apps to accommodate such websites more than it already does now (as you can see, it does work on the computer).

    Another thing I can suggest is that you take a look at our open letter to banks, which we wrote since banks in particular are very troublesome with overkill security measures that, more often than not, actually harm security rather than improving it. I suggest you forward it to your bank, as we've already managed to affect several banks and make them change their login pages by having multiple users sending them this :)

  • kv3
    kv3
    Community Member

    @Yaron Right now, I actually have each security question as a separate login credential, that works for autofill.

    Thanks,

    Kannan

  • ag_yaron
    ag_yaron
    1Password Alumni

    Glad to hear you got a workaround that does the job for you @kv3 :)
    Let us know if there's anything else we can help with.

This discussion has been closed.