Filling single step logins that need OTP concatenated with password

System

This discussion was created from comments split from: Use of and Support for Double-Blind Passwords.

Tertius3

Unfortunately, you missed the point, @Zatara214.

There are company website logins and company vpn logins, where you login by entering username and password. As password, you enter a text concatenation of some password (or pin) you chose, and the 6 digit number from some physical authenticator token.

This is a means to prevent an attacker being able to login if he stole the token. He still needs to know the pin. At the backend, these authentication systems split the entered data from the password field back into pin and totp code parts. They first check the totp. If it matches, they check the pin. Login is allowed only, if both checks are valid.

Now, what is asked is to make 1Password help with this concatenation. For example, Ryan proposed 1Password will prompt the user for entering the 6 digits from the physical token, then 1Password will concatenate this with the pin from the password database and fill this into the input field.

Ben

Hey @Tertius3

That's a bit different from what the OP was taking about. What they were asking about is password salting with a static salt, for the purpose of not storing all the necessary components to log in within 1Password. I've split your message into its own thread so we can better discuss the specifics of your ask. I can see how a similar feature to what they were proposing could help with both use cases. We're keeping an eye on the need for a solution for systems that require the OTP code be concatenated with the password. It hasn't been a very common request though, I'm afraid. My personal take is that most systems that do this did it this way to avoid redesigning their UI to accommodate a separate OTP field, and will likely begin to be phased out as new products/services/UIs are rolled out that do explicitly account for OTP. That's just my take -- I could be wrong. But certainly the much more common situation is a two-stage process where the static credentials are requested on the first page, and then the OTP is requested on a second page.

We are tracking requests for this, and I've added your voice to that tracking system. Thanks for taking the time to weigh in. 👌🏻

Ben

P.S. Apple maintains a list of public websites that employ this mechanism. If you know of others, you might consider contributing. :) You can find that here: https://github.com/apple/password-manager-resources/blob/main/quirks/websites-that-append-2fa-to-password.json

ref: https://1password.community/discussion/comment/626618/#Comment_626618

Tertius3

I'm sorry, I don't currently have any website login to show that works as I described. The company I work for has changed their remote login to an ordinary Microsoft account, so it doesn't apply for them any more. You're probably right if you say this will likely begin to be phased out. It also seems even banks don't want to hand out these physical RSA tokens any more and instead go for authenticator apps on your company or byod smartphone.

Ben

Thanks for the update @Tertius3. Indeed; even with the physical authentication devices I have, all of the systems I use them with are putting those requests in a separate field (rather than expecting it be appended to the password). We'll keep an eye out though and see if there continues to be a demand for this.

Ben