ios multiple pin code prompts and 2FA
Here's my problem:
1 - many web sites are placing the username and pw prompts on separate pages and 1PW is not 100%reliable in filling fields. This means that sometimes I get 5-6 pin code prompts in the space of 20 seconds. One would think that one would do. Six gets downright annoying.
2 - I'm considering upgrading to teams so that I can use Duo. Would that cause me to get 5-6 Duo calls on my watch?
If so I think the value of 2FA would be smothered by the effort of using it.
Please you enlighten me about this.
Thank you,
Dan
1Password Version: Not Provided
Extension Version: Not Provided
OS Version: Not Provided
Sync Type: Not Provided
Referrer: forum-search:ios multiple pin code prompts
Comments
-
Hi @DoctorDan
I could perhaps understand how in some cases you might be getting two notifications for the TOTP code being copied (e.g. once when you fill the username page and once when you fill the password page). I'm not sure that is avoidable at this point. But I'd be interested to hear what workflow you have that is leading to you seeing 5-6 notifications. Could you please provide an example?
Ben
P.S. For what it's worth, while I am aware of the move by some to split their login process from a single page to multiple pages, I'm not aware of any studies showing that this is in any way more secure or advantageous to the user.
0 -
The scenario goes like this:
1 - I access a web site that pit up a login. Sometimes just the username, sometimes the whole login opens in a popup window.
2 - I put the cursor in the username field
3 - the keyboard offer something from 1pw.
4 - I choose that and get a pin prompt.
5 - I select the appropriate item
6 - Nothing fills in
7 - I try again.. Another pin code prompt. Sometimes it fills, usually not (if it failed the first time)
8 - I type the username and advance to the password field
9 - keyboard again offers 1pw, another pin code prompt. sometimes this will work, often not.
10 - I task switch to 1pw, Another pin code prompt
11 - I search for the item and copy the pw
12 - task switch to the login. Sometimes the popup vanishes and I have to start again.
13 - paste the pw and I'm in.
14 - No more pin prompts for the duration set in the prefs.I thought that enabling duo might change the workflow and it has.
So I upgraded to teams. More $$$
Now the pin code icon is gone from the 1pw login screen and I have type type the 20 char master pw, which is not easy on the iphone. I often get this screen more than once in, say, a 15 minute period.The workflow that would work if duo is enabled.
1 - Enter the pin code
2 - get the duo dialog
3 respond to push on my watch
4 - I'm in
5 - No more pin prompts for the duration set in the prefs. After that trigger another duo session.Also, my wife's never gotten a message about duo even though she is part of the team. Their is no way in the team managers screen to send a duo invite.
And, I haven't gotten a response to my request to allow pin codes longer than 4 numbers.
As you can imagine, this is getting to be such an all-consuming activity that I'm considering abandon all effort to follow best practices and tighten security.
Thanks,
Dan0 -
This is all IOS related
First a couple of observations.
1 - 4 digit pin codes are pretty weak. Apple now forces 6 digits, or more if you choose.
2 - A Duo push is far more secure than a PIN code and, since you already allow a PIN code to bypass the need to enter the master password, a Duo push should be a more than sufficient alternative.
3 - Allowing an interval of up to 30 days as the ONLY time that Duo may be invoked in, in my opinion, of such limited value as a security precaution that it wouldn't even be worth the time, effort and expense to use it.I have thought about this some more and have figured out how Duo integration would be most useful to me.
1 - Beginning from an unauthenticated state
2 - I will define a session as beginning the first time 1PW needs to show a login dialog, regardless whether this is triggered by opening the app or from the keyboard password suggestions.
3 - If Duo is active, the screen will show the master password text box and a Duo Icon (instead of the PIN code icon),
4 - Clicking the Duo icon will invoke the Duo dialog.
5 - Assuming I choose push to my phone, I will get the auth request on my watch and fi I approve, 1PW will open.
6 - During a session, any subsequent activity that calls 1PW will NOT, display a PIN code prompt, a Duo prompt or a master password prompt. You will simply be allow in to complete the activity.
7 - Any activity during the session will reset the session timeout timer to its max value.
8 - After the session timeout interval has expired the session will end.
9 - GOTO #1 (my apologies to Dijkstra)Implementing this workflow would, for me, provide the greatest utility, the greatest security and the least duplicated effort.
The current workflow is, in my opinion, marginally useful and getting to be quite aggravating (which is a fancy way of saying that I don't like it much). I hope that I can induce to implement what I suggested, and soon.
Thanks for wading through all of this. It's really very important to me and I really like 1PW. I think the user experience could be improved significantly. I might be off in left-field but I think I've got a pretty good instinct for getting the workflow right. I've been at this for about 50 years and have developed software that has been used enthusiastically by thousands of people. One of them likes one of my apps so much he even wrote a song praising it. Can you imagine a doctor that is excited by a computerized medical record?
Cheers,
Dan0 -
Thanks for taking the time to share your perspective on this. I'll be happy to pass your suggestions along to the development team for further consideration.
Ben
0