AWS console account id being replaced with one-time password

I only noticed this first this morning, but haven't logged in for at least a week. When 1Password X populates my creds on the AWS login page (https://console.aws.amazon.com/?nc2=h_m_mc) the one time password is being pasted into the Account ID field.
Mostly just annoying, but has definitely changed recently.


1Password Version: Not Provided
Extension Version: 1.18.0
OS Version: Win10
Sync Type: Not Provided

«134

Comments

  • Cellane
    Cellane
    Community Member

    I’m seeing the same issue, with regular old 1Password, not 1Password X. I thought I’m going crazy for sure because I remember that this used to work well – but for the past few days, going through that login form has been a major annoyance (especially as I have to switch between many AWS accounts multiple times a day).

    I checked the password details in 1Password, and I still have stored the correct value of account for each account I need to access. I also checked the HTML of the login form, and I don’t think AWS renamed anything.


    1Password 7
    Version 7.3.2 (70302004)
    Firefox 73.0.1 on macOS 10.15.2

  • Ohook3Xa
    Ohook3Xa
    Community Member
    edited March 2020

    i'm having the same issue (replacing account with one-time password).
    i'm using 1password X version 1.16.2 under firefox 72.0.1 from ubuntu linux.
    i tried saving a new login and got the same (broken) behavior.
    this used to work, i hadn't changed anything about this login or updated my browser extension.
    maybe aws changed something but i can't tell what is causing it

    for the longest time it never filled the account for me, just the username/password, and then after submitting the one-time password was filled correctly, but ideally (for me) it would also save and fill the account name as well since that is part of the form.

    i wish i had more control over what fields are saved/filled and i could edit/create/update those directly.

    screenshot of page in question:

  • Ohook3Xa
    Ohook3Xa
    Community Member

    actually, i tried updating to the latest 1password X extension (version is now 1.18.0)
    and now seems like the aws console login for me is completely broken.
    it won't fill in the mfa code on the second form at all anymore.
    i can manually copy/paste the value but even trying to click autofill just blanks out the form and sends me back to the first page of the login flow (and breaks the form by not filling in the correct fields)
    this is very annoying as this is my #1 use case for 1password

    mfa code page screenshot:

  • Soundar
    Soundar
    Community Member

    Support Team

    I am also facing the same issue. Can someone from 1password support team respond to this ASAP?

    Thanks
    Soundar

  • mjcsb
    mjcsb
    Community Member

    I had the same issue. I can confirm the AWS GUI login page was working as of Monday night 3/9/20, and broken as of Tuesday morning 3/10/20. In both Chrome and Safari on macOS Catalina.

    When I looked into the source for the AWS Login page, the text input field for Account ID now has id="account" and name="account". Our AWS IAM User login entries had a field named "id" which contained the account alias, when this worked as of Monday night. I tried changing our 1Password entry label from "id" to "account" - and this fixed the problem on my Mac. I don't know if AWS GUI team changed this page overnight. I do know I did not update any software from 1Password overnight between when this worked and stopped working.

    I thought I was done, and swept through all my other AWS IAM user entries and changed this field name from id to account, and sporadically tested on Chrome and Safari and every login worked again. But, I have other team members using Windows, and they are seeing the same behavior, where it appears to paste the MFA code into the Account ID field, and my updated 1Password login entries are not working for them.

    I've asked my team to open a support case with AWS in the morning to see if they changed their GUI login page logic, then once they got an answer, to contact 1Password, but it seems this issue is already being reported here. So, thought I'd update with the symptoms we're seeing.

  • dangul
    dangul
    Community Member

    Yepp, same here happens this morning 11/3! Got 1.18 passwordX

  • Hey everyone! Thank you all so much for taking the time to report this! :blush:

    I was able to reproduce this behavior (filling TOTP in the Account ID field) in the AWS IAM user login form. I'm sorry for the obstruction this has been to your workflow. I've gone ahead and reported this to 1Password X developers so they can see if there's something we can do to make 1Password behave in the AWS login form again. We'll keep you updated in this thread.

    For what it's worth, as @mjcsb mentioned, you may be able to create a custom field in your 1Password Login item for your Account ID. Using the label "account" should work. I know it's not much, but if creating a custom field in your login doesn't work out, you might find dragging and dropping your credentials to be faster than copy/paste while we look for a fix.

    Thank you again for being so awesome, @DansSuperPassword @Cellane @Ohook3Xa @Soundar @mjcsb and @dangul! ♥️

    ref:dev/core/core#1123

  • Peppo
    Peppo
    Community Member
    edited March 2020

    Same for me, definitely a recent change. Thanks for looking in to it!

  • Yeah, I'm definitely thinking something changed in the AWS IAM form, since we haven't made any changes nearly as recently as this issue started cropping up. I'll add you to the list of affected users, @Peppo! Thanks for reaching out. :)

  • scottrbaxter
    scottrbaxter
    Community Member
    edited March 2020

    Confirmed, same issue.

    Chrome Extension: 1Password extension (desktop app required) 4.7.5.90
    Browser: Brave Version 1.4.96 Chromium: 80.0.3987.132 (Official Build) (64-bit)
    macOS Catalina 10.15.3

    This was working fine yesterday, I used my standard 1password keyboard shortcut as I do almost daily... today it replaces the "Account ID (12 digits) or account alias" field with my TOTP token.

    Anyone have a quick fix? I've actually got the "account alias" as a field in this 1P entry already, but don't know how to populate it in place of the TOTP that's now in the incorrect field.

    edit: reading mjcsb's post above, I was able to change the 1password "label" field (originally i called it "alias") to "account" as suggested, and works fine on macOS. Tested with 2 different entries/AWS accounts. Not ideal, but a quick fix nonetheless. Thanks @mjcsb!

  • I'm glad @mjcsb's suggestion is working for you while we look for a fix, @scottrbaxter — Thanks for letting us know!

  • monodemono
    monodemono
    Community Member

    Hello, I've been using 1Password for a while now, love it, and I use AWS (Amazon Web Services). In AWS, there's root accounts, and then IAM (Identity and Access Management) accounts, When you login to a root account, there's one login form for that, which is just user and password, as it's the administrator of an entire organization. When you login to an IAM account, there's a separate login form where you include the account ID or account alias so that AWS knows what organization your account is a part of. 1Password has worked fine with the IAM login form in the past, but as of yesterday (3/10/2020) (at least, that's the first I started noticing it) 1Password has begun replacing the Account ID field with the 2FA.

    Normally you can go to https://"account-alias".signin.aws.amazon.com/console to reach your organization's IAM sign in page with the account alias pre-filled into the account ID field, or if you've recently been signed into an IAM for a particular organization, he account ID will usually just be left over in the field for convenience. As I stated before, in the past 1Password ignored this field as expected (as it's populated by the login page URL, or from your cookies) but now it has started filling in the 2FA (which doesn't appear until the next page, after the initial IAM login) which is making logging in a longer process.

    IAM login page (the red is my account alias):

    After 1Password autofills (the red is my username, I can leave the account ID field uncensored because as I explained, it's just a 2FA which has already cycled out, so it's not useful to anybody):


    1Password Version: 7.4.3 (70403002) 1Password Store
    Extension Version: 1.18.0
    OS Version: OS X 10.13.3
    Sync Type: Not Provided

  • ag_tommy
    edited March 2020

    @monodemono

    I have merged your post with an existing topic. Please see the above comments.

  • Ohook3Xa
    Ohook3Xa
    Community Member

    i tested the workaround from @mjcsb and for me it only works with 1password extension, not with 1password X extension -- so it is useless to me on linux.

    i used the 1password desktop app on mac to edit the web form fields -- didn't realize you could do this since i'm in linux 99% of the time.
    i added the account field to the saved web form fields as a text. after that the 1password extension properly filled the account id field.

    however 1password X (on either mac or linux) continues to fill in the one time password as the account id -- and then even when i replace with the correct value and go to the next page it doesn't fill in the totp value, nor is it in the clipboard at that point (i guess it thinks the totp has already been submitted successfully). very annoying.

    any update on when this will be addressed or any workaround for 1password X users?

  • Ohook3Xa
    Ohook3Xa
    Community Member

    after this incident, i went ahead and switched over to not storing 2fa inside 1password. feels safer in the end, as now a breach of 1password along (wether server or client/browser/extension) won't authorize access to my accounts.

    probably should have done this from the start. still using 1password X for initial form fill as it works pretty well and allows for organizational access to shared secrets.

    would like to be able to edit web form fields from linux or cli/api.
    any chance that is on the roadmap?

  • mendel
    mendel
    Community Member

    I'm using the 1password extension (not 1passwordX) in Chrome and Safari, and @mjcsb's workaround doesn't work for me. The field in Saved Web Forms is called "account" and always has been:

    and I verified that the input element is still named "account" on the console login page:

    This is a real pain, since as someone earlier mentioned, this sign-in form gets a lot of use during the day.

  • tetious
    tetious
    Community Member

    This is very weird. The workaround was working for me yesterday, but today it isn't. I wonder if something else changed?

    It would be so helpful if we had some kind of control over what fields were autofilled. Magic only works when it works. There should always be clear options to override the magic.

  • dnorth98
    dnorth98
    Community Member

    Add me (and all the developers at our company) to the list of affected. Very odd stuff, I thought I was going crazy at first :). Looking forward to this being fixed as the workaround also doesn't work for me

  • BogeyMan
    BogeyMan
    Community Member

    Me too on this one.
    Some time ago, my AWS login was working. Now, not.
    I have a browser bookmark set that gives me a login with the account ID pre-filled.
    When I "autofill" from 1Password, it writes the MFA code to the Accout ID field...

  • wagnerone
    wagnerone
    Community Member

    Add me (and all the developers at our company) to the list of affected.

    Since we're discussing AWS IAM login form filling, has anyone ever figured out how to get this login form to fill automatically when you have multiple AWS accounts? Our company has a lot of AWS accounts (this is pretty common anymore). 1Password gets that it's an AWS login form and presents a large list of possible AWS account login items to scroll through and pick from for us. Would be fantastic if we could streamline that process somehow.

  • wagnerone
    wagnerone
    Community Member

    For those of you not having luck with the workaround, you don't add the "account" info as a new field in the "web form details". You add it as a normal field in the 1Password entry. Very odd that this works.

  • htnelson
    htnelson
    Community Member

    This is broken for me, too. It's really disappointing to learn that Agilebits can't seem to make the automation between their flagship tool, and the signin page for one of the most important sites on the planet. I had to pull strings with IT to get my mfa tokens put into 1Password, now the automation is not working, and hasn't been working for a while.

    I pay a subscription for working software. However, this software no longer works, and I am seriously reevaluating the benefit of the subscription over the cost. I pay you every month to use your software, and you can't even do a regression test for the AWS signin page.

  • dfuentes1977
    dfuentes1977
    Community Member

    @wagnerone's solution worked for me with 1password extension (not X) on latest Firefox. It's a shame they don't test this often since it's a critical path for many of their early adopters (e.g. dev/ops engineers that use AWS everyday).

  • mrmurphy
    mrmurphy
    Community Member

    I was also annoyed by this, but I don't think it's a breach of trust, or that it makes my subscription worthless as other posters seem to. Thanks for your good work! We look forward to a fix :).

  • wagnerone
    wagnerone
    Community Member

    Agreed. 1Password works with countless sites. Those of us needing to log into the AWS console are the vast minority here. It's not like it stopped working on Amazon.com :) Even if it did, Agilebits can only be reactive in these cases. They can't predict every given wrench any given site developer out there may dream up that will break their product. They'll get it sorted out.

  • cecelia
    edited March 2020

    Thank you, everyone! All of this feedback is truly invaluable :blush:. We want just as badly as you do for 1Password to work as intended and fully understand what a pain it can be when it doesn't.

    As soon as we noticed the AWS IAM form had changed, it was reported to our filling logic developers and they got to work on a fix right away. We just submitted a 1Password X release containing that fix to the browser extension stores; The update should be in Firefox shortly (if not already) and is currently in review for the Chrome Web Store. Here's the changelog entry:

    1Password X Release Notes

    You'll get the update automatically, as soon as it's available. Thank you again for taking the time to report this to us and for all your patience while we worked on this fix. ❤️

    [Edit: The fix will be in both the 1Password X stable and 1Password X beta versions in Chrome and Firefox. Both releases are now live in Firefox and should already be rolling out. The Chrome Web Store releases are in review.]

  • Ohook3Xa
    Ohook3Xa
    Community Member

    fyi, I tested the updated 1Password X (1.18.1) and was able to login to aws console as expected using my original/unmodified saved entry (ie. no workaround required).

  • cecelia
    edited March 2020

    We decided to push this fix to both versions — Sorry for the confusion, @Ohook3Xa, and thank you for testing and reporting back. <3 I've edited my comment above.

    I've also tested using both 1Password X stable and beta and have been able to successfully fill an unedited Login item in the AWS IAM form using both. Hopefully everyone else has the same experience. :)

  • BogeyMan
    BogeyMan
    Community Member

    I am not seeing this latest browser extension update. I just re-installed the latest browser extension in Chrome (Mac) and it's still showing 1.18.0.

    This also leads me to ask an additional question regarding the extension(s) - which extension should we be using, or what's the difference between them?

    When I search the "chrome web store", I see THREE matches for "1Password":

    • 1Password X - Password Manager
    • 1Password extension (desktop app required)
    • 1Password X Beta - Password Manager

    After installing the latest from the store, I have these versions:

    • 1Password X - Password Manager - 1.18.0
    • 1Password extension (desktop app required) - 4.7.5.90
  • ag_ana
    ag_ana
    1Password Alumni

    @BogeyMan:

    It might take a bit for the Chrome web store to update with the latest version of the 1Password extension everywhere, but it usually doesn't take long.

    As to which extension you should use, that is up to you: the answer is that you should use the one you like the most. 1Password X is our most recent extension which does not require the 1Password desktop app to work, while the companion browser extension is the traditional one. I recommend trying both and choosing the one you prefer.

This discussion has been closed.