1Password X not filling some 2FA fields

This discussion was created from comments split from: 2FA autofill not working in Safari.

Comments

  • BigStef
    BigStef
    Community Member
    edited December 2019

    Actually, using with Brave browser with extension 1Passwotd X installed on Mac OS X Catalina show me that on some websites, 2FA fields a correctly filled, and on some others not. Probably depending in different attributes of the 2FA field ?
    For example :

    At Siteground, the 2FA field has :

    • name="two_factor_code"
    • type="password"
      And 2FA field is correctly filled.

    On Generic Joomla Backend access, the 2FA field has :

    • name="secretkey"
    • type="text"
      And 2FA field is not filled automatically.
  • kaitlyn
    kaitlyn
    1Password Alumni

    Hi @BigStef! Deep in the 1Password code lies a filling algorithm that helps it fill a variety of fields, like TOTPs. We use different clues, including the HTMLname and HTMLid, so that explains why a field with a name of two_factor_code fills and a field with the name of secretkey doesn't. It's always helpful to report filling issues to us that way we can improve the filling algorithm and make it even more universal than it already is, so I appreciate you bringing this to our attention. You mentioned the Joomla, but I'm curious what the website URL you're using to sign in is. I'd like to test it out on my end and make sure the issue gets reported to our developers. If it's not a public URL, just let me know and we'll go another route.

  • BigStef
    BigStef
    Community Member
    edited January 2020

    Hi Kaitlyn, Great! Thanks for considering this :)
    Actually I can not giving you any URL as all of websites I manage have a secret word in URL for security.
    But if you need, i can install a test for a while with a URL I can send you ?

    EDIT :
    OK - Finally I have just installed a joomla backend access specially for 1p team :chuffed:
    So if you need an account for an access to the background, just ask. Here's the URL if you just need an access to the login window.

    For your information this a fresh Joomla Instal with no hack.
    The instal package has been directly downloaded from joomla.org and installed on this subdomain.

    Just tell me when you have finish so I can erase that subdomain

  • kaitlyn
    kaitlyn
    1Password Alumni

    @BigStef – I really appreciate you going through the trouble to create a test case just for us! I see exactly what you're saying now. I actually think part of the trouble is that the TOTP (or secret key) field is on the same page as the rest of the sign in form. Generally, 1Password X will fill a Login, you'll proceed to the next page, and that's when the TOTP would be autofilled as I'm sure you've witnessed on other websites. If I remember correctly, Siteground's sign in page is along those lines rather than offering the TOTP right away like Joomla does. Either way, your best bet to get this one to fill will be clicking and dragging the TOTP from the 1Password X pop-up to the secret key field. I created a little screencast so you can see exactly what I mean.

    As a side test, I used the inspect tool to make some tiny tweaks to the secret key field's HTML. Simply changing the HTML name to "OTP" or "two_factor" or something along those lines actually caused 1Password X to fill my [fake] TOTP correctly. I'm not sure if Joomla would welcome a change like that, but it's something you could reach out to them about and suggest they alter their code even slightly. The "secret key" thing is new to me, and I wouldn't call it industry standard.

  • BigStef
    BigStef
    Community Member

    Hi Kaitlyn, I think you're right about the standard thing. I will open a ticket in their Github and see what happen. I will come back to make some feedback here. Thanks for your time spent here :)

  • ag_ana
    ag_ana
    1Password Alumni

    Sounds good! And on behalf of kaitlyn, you are welcome :)

  • BigStef
    BigStef
    Community Member
    edited January 2020

    Hi 1password team. A discussion has been opened in Joomla Github (https://github.com/joomla/joomla-cms/issues/27580). Is there any list of word 1Password recognize, available (as i.e. for KeePassXC : https://github.com/keepassxreboot/keepassxc-browser/blob/9e9d7a5f28e6c1c200cd7cb7807f9f787ae336b4/keepassxc-browser/content/keepassxc-browser.js#L9-L17) ?

  • kaitlyn
    kaitlyn
    1Password Alumni

    @BigStef – There are honestly too many to list, but the biggest ones are: otp and totp. They can also include something like: 2fa, code, two-factor, challenge, token, mfa, and I'm sure 1Password will be able to figure it out. I'm so glad you reached out to them!

  • BigStef
    BigStef
    Community Member
    edited January 2020

    Hi Kaitlyn, the discussion at Github is going on. Something will probably be done. But for now, the question is "Is there any Industry Standard?". This question is not without interest. As you mentionned it above, i would like to know if you have any source about that ? Any information ? Or is it something you have decided internally at AgileBits?

  • kaitlyn
    kaitlyn
    1Password Alumni
    edited January 2020

    @BigStef – Honestly, that's a really good question. I'm not sure that the industry standard has necessarily been declared, so I guess it depends on what "industry standard" means to you. I was taking it as what I typically see developers do when it comes to HTML for TOTP fields. To find that out, we could visit a few websites and see what their TOTP field code looks like. What I mentioned earlier is what I generally see when testing websites on a daily basis.

    As far as documentation goes, we've got a page that explains how to best design a website to work with password managers, but that's pretty simplified. I also found some info on the autocomplete attribute in Mozilla's documentation. They mention the value "one-time-code," which would also help 1Password out. So the attribute would look like autocomplete="one-time-code" as part of the field's HTML (along with a name/label/any other necessary attributes). I hope that helps!

  • BigStef
    BigStef
    Community Member
    edited February 2020

    Hi there, just to say that an official PR for "autocomplete="one-time-code"" has been finally post on Github Joomla : https://github.com/joomla/joomla-cms/pull/27967.

  • BigStef
    BigStef
    Community Member

    I have a feedback about that. Suggestion :

    Maybe 1Password should implement a check of the autocomplete property to go with the possible future standard?

    Sources:
    HTML - Living Standard
    Apple - Enabling Password AutoFill
    Any comments about that ?

  • kaitlyn
    kaitlyn
    1Password Alumni

    @BigStef – That's so awesome! Hat tip to you. 👏

    Maybe 1Password should implement a check of the autocomplete property to go with the possible future standard?

    I don't think I'm following your suggestion. 1Password X does take autocomplete into account when determining what fields should/shouldn't be filled. It's not the only thing 1Password looks at simply because the autocomplete attribute isn't always used the way it should be. It's something we mention on our page that explains how to design a website to work best with 1Password. Based on the sources you mentioned, one-time-code seems to be the standard autocomplete type for 2FA fields, which matches with what I found in Mozilla's documentation. I'm not sure what I'm commenting on, though. Could you explain your suggestion in detail so I can better understand the question?

  • BigStef
    BigStef
    Community Member
    edited February 2020

    Hi Kaitlyn, thanks for answering.
    I'm feeling a bit between the hammer and the anvil. :) The PR will likely be managed by next week. Let's see what is the result. I will bring a feedback here.

  • kaitlyn
    kaitlyn
    1Password Alumni

    @BigStef – Sounds good! My bet is that 1Password will be able to fill the OTP just fine. Since I'm not able to access the previous test suite you created, I'm not able to check it out myself, but something you can do is add autocomplete="one-time-code" to the HTML via dev tools then attempt to fill the item in the 1Password X pop-up. If the 2FA code fills, then we're looking good. I know I previous set the label to one-time-code and that worked well, so I have faith. :)

  • BigStef
    BigStef
    Community Member

    Hi @kaitlyn , Just to tell you that I have made some test with the first Joomla 4.0.0 Alpha (launched this month) and 1Password is able to fill the 2FA field now. This is great. :).
    Changing the element's ID on Joomla 3.9.x serie looks like it isn't possible for 1 reason: "Some 2rd party (template or whatever) may use the id in some own css (or less) file for styling". (saying on the github PR)
    For info : the date of release for a stable version of Joomla 4 is not defined yet...

  • That is encouraging news @BigStef. Thanks for letting us know. :)

    Ben

  • BigStef
    BigStef
    Community Member

    Hi 1Password team. I have a great news ! ;)
    I have just tested the first Alpha of Joomla 3.10 and the TOTP 2FA field is finally compatible with 1Password now !
    Joomla 3.10 is supposed to be a king of "bridge" between J 3.9 and J 4.0... The final release should be in the newt weeks...

  • That is great news. :) Thanks for the update!

    Ben

This discussion has been closed.