Account versus Login managemetn

pmallonee
pmallonee
Community Member

I've been searching through the forum and I can find pieces of this but not the whole picture.

I am new to 1Password so I'm just beginning my databasing. I'm having trouble where the same account is referenced in multiple ways.

1) At work we have lots of servers that authenticate against a backend database. The default behavior for 1Password seems to be to store a separate username/password/URL entry for each one. This works at a small scale but when password rotation time comes it's going to be a problem.

2) The same account is detected by 1password in different ways. My phone sees "BofA" for the app while the web sees and makes an entry for bankofamerica.com.

I've seen other users with variations on that theme with different services authenticating against a common source (login with facebook or google for example)

My suggestion would be to build a new kind of vault item - the account. The account would have credentials, but would not have an associated "location". This would be the central reference.

Then on the login entries have the option to reference either an account or to build the current local username/password storage associated with the URL.

That would also mean the browser and tablet installations would need to offer the "accounts" for datafill. Currently when a new site is accessed the login box 1Password icon has "No items to show".

With this indirect reference when password rotations happen the user has to change the password in one spot (the account) instead of each and every "login" entry that has been created. This is not a case of re-using passwords as the password on the backend is one and only one.

If this kind of capability is already in 1Password I haven't found it and I would love direction to it. Judging by the questions in the forum there's a lot of people dancing around the same gap.


1Password Version: Not Provided
Extension Version: Not Provided
OS Version: Not Provided

Comments

  • vellum
    vellum
    Community Member
    edited April 2022

    I wondered about this with bank websites/apps, too, and have dealt with it in two ways.

    Duplicate, then combine the login:
    Create a login for the bank website and a second login for the bank app.
    Later, enter both websites on one login, and delete the second login.
    (tedius.)

    Use the search function on signin:
    When the 1password app says 'no item', tap 'search vault'.
    type the existing login name & search for it
    select it
    select fill
    (the app added the alternate url when I tried this a while back)

  • Kakkoister2
    Kakkoister2
    Community Member

    For my bank log ins, I have the main websites saved in 1Password, and then those logins are suggested for the banking apps on my phone.

  • pmallonee
    pmallonee
    Community Member

    That "tap 'search vault'" must be on an app implementation. I get no option of any kind doing that in Chrome which is where most of the accessing of "new" work servers would be performed. Unless I'm missing something there's no particular advantage to having 1Password since I have to type the credentials manually. That also means I can't really use the password generator to generate a truly obscure password since I have to be able to type it manually.

  • pmallonee
    pmallonee
    Community Member

    I ran into another use case for the "account" last night. I was signing into HBO MAX. The URL was for HBO MAX, but I needed to sign in with the credentials of my "cable provider".

  • Hi @pmallonee:

    Thanks for reaching out! Depending on what specific setup a services uses, you will have one of two cases for filling that kind of situation:

    1. The service takes you to the identity provider to sign in. With your example, HBO Max, if I choose my ISP, I'm taken to a website for my ISP, where I can autofill my credentials accordingly.
    2. The site shows the login field on the same page. In that case, you can open the 1Password pop-up, and drag and drop the items:

    Drag and drop a field from the 1Password pop-up to the field on the web page, and it'll fill in.

    Let me know if that improves your state of play, or if you're still running into trouble.

    Jack

  • Kakkoister2
    Kakkoister2
    Community Member

    @pmallonee to also add onto what @Jack.P_1P said, the open and fill option is great, as when you have the official website saved, 1P will not ever fill it on a website faking as the real website. For the browser extension, I open HBO Max and since I have Hulu, I search for Hulu in the browser ext and fill it that way, does this help? Let us know

  • pmallonee
    pmallonee
    Community Member

    I will give this another try once I'm on my work machine. I specifically tried drag and drop when in the chrome browser and nothing appeared to move between the mini window and no credentials populated. I did that before I wrote this case.

    As I said there are really two parts to this - the credential management part and the browser presentation part. It sound like what we are discussing is more the browser presentation part.

    I still would be concerned if by using drag-and-drop I was creating many entries with that common password that would have to be changed separately when my passwords rotate. The indirect reference (pointing to a credential instead of recording the credential) for an entry is really still a feature I think addresses several issues.

    Again look at the lifecycle. If I drag and drop 100 servers over the course of a 90 day password cycle do I really want to cycle through 100 entries to update the password? (Especially since I might only log into 50 of those next cycle and add 50 more). If I have the indirect reference to the credential I have to change the password exactly once per cycle. Then it doesn't matter how may servers I've connected to or how I populated the login entry (drag and drop, credential select, typing the password).

  • Kakkoister2
    Kakkoister2
    Community Member

    @pmallonee I don’t believe it would create multiple entries for your passwords, @Jack.P_1P will confirm this.

  • pmallonee
    pmallonee
    Community Member

    I think I have confirmed all these behaviors. I'm in Windows 10, Chrome 100.0.4896.88, Chrome plugin version 2.3.2.

    I can find no "Drag and Drop" in the Windows/Chrome implementation that would allow me to re-use a credential set. The closest I can find is to select an account and click copy on the name in the plugin and then paste it into the box. Repeat for the password. That copy is only of value in the case of an difficult to type generated password.

    More importantly when a new server is logged into it creates a separate entry for that server/url/username/password combination. When I log into another server it creates another separate entry with a different URL but duplicate credentials. This can be inspected by editing the login in the main app. In this case the credentials were identical not because of password re-use, but because the server authenticated against a domain server which has the single identity and is authenticating both servers with the same credentials.

    I then changed the password on the domain side. Of course I expect 1Password to have the incorrect password at this point. As an exercise I changed one of the entries to the correct new password. This entry works. The remaining entries which were created with the previous password still contain the previous password.

    This emphasizes the need for the indirect reference to the credentials. I should be able to POINT to a credential set in 1Password and maintain the username and password in that single item. I actually work with multiple domains but as long as the "login" points to a credential there's no reason why this wouldn't scale.

    I also think the proposed "account" vault item could be rendered in the GUI components that way separately from a login. A login carries an implicit URL in the 1Password implementation which is why new servers show "No items to show". The GUI could offer Accounts separately from "logins" (and probably with logins prioritized higher on the list) such that if an account is used to fill the username/password boxes the login entry automatically gets created with the indirect reference to the selected "account".

  • Hi @pmallonee:

    Thanks for following up. It sounds like you have multiple URLs / IP addresses all with the exact same username and password, is that correct?

    In that case, your best option would be a Login item with your username and password, and multiple website URLs for each server or domain they'd be relevant for, like this:

    To clarify the drag and drop that I was referring to is dragging from 1Password in the browser to a field on a website, like so:

    Let me know if that makes sense for your use case, or if you'd like me to dig in further with you!

    Jack

  • pmallonee
    pmallonee
    Community Member
    edited April 2022

    Well I could have sworn I tried that specific drag and drop yesterday with no action but it worked this morning. This is the copy I mentioned as being useful only really with a generated password. Otherwise it's slower to use 1Password than to just type the password. Since this particular account also unlocks my laptop I haven't gone in on password generation yet.

    With respect to the multiple servers, what you suggest would require that I prepare all possible access points ahead of time. I certainly don't get an option when a new server gets presented to use an existing credential. All I get is the "No items to show".

    I have literally thousands of servers and applications that can use my domain ID. While I have experimented with only application logins I haven't got to the point of trying with ssh (which obviously wouldn't use the chrome plugin). Those other types of logins aren't going to have the "url" that the application does - it will almost certainly get anther type of entry if the two entries 1Password created for my Bank of America credentials is an indication.

    So yes, I think I would like to dig in further. I'm using this corporately and personally (I just accidentally mixed vaults doing the test).

  • pmallonee
    pmallonee
    Community Member

    So no more engagement on this?

    After using 1Password more in the intervening month I'm finding more and more instances of the same authentication on the back end coming through multiple front end portals and they all have separate entries in 1Password.

    Some of those cannot be tricked with the URL since as in my original post "Bank of America" on the web and "BofA" app are completely different entries even though they have the same authentication back end. Changing my password will require me to change in in two places and no getting around it.

    I don't even try in my corporate environment. One login with hundreds of portals requires hundreds of password changes and it just isn't worth it.

    Please investigate the indirect account reference for Logins.

  • Hi @pmallonee:

    My apologies for the delayed response. To clarify, you can use your "Bank of America" login for both in the web and in the Bank of America app. If you use 1Password for iPhone, tap the Passwords button when you have the login field selected, and you'll see something like this:

    If you see a URL in the button for "Create new login", that's the app's Associated Domain. 1Password uses the Associated Domain to determine which Login item to use for AutoFilling. Make sure that the item you're filling has a matching URL, and you should see that one suggested in the future. If you're using 1Password for Android, tap Autofill, then search for the item. You'll be prompted to associate the Login if they don't quite match, but it should then be suggested in the future.

    As for the concept of storing a "Account" to be used with multiple Login items, that's an interesting idea, and I'll share it with the team.

    Jack

    ref: IDEA-I-1113

  • pmallonee
    pmallonee
    Community Member

    I'm about to go through a password change cycle at work.

    Was there any interest inside the development team with the concept of a login pointing to an account (and by extension, multiple logins pointing to a single account)?

  • Beyond adding adding multiple URLs to website fields on an item... nothing on the radar for the immediate future, @pmallonee. Perhaps something that can be worked in as part of a larger effort in the future.

    Ben

This discussion has been closed.