Accounts where TOTP code should be appended (or prepended) to the password

zcutlip
zcutlip
Community Member
edited March 2023 in 1Password in the Browser

This may be a bit of a corner case request, but here goes...

There are some websites (looking at Etrade.com!) where the 2FA TOTP code needs to be silently appended to the password in the same field. There is no visual indication to remind you that a 2FA code is required, and if you forget it just tells you you entered the password wrong[1].

Another example is the login page to opnsense (and maybe pfsense?) router/firewall software. You can enable 2FA on your router, but then have to remember to concatenate the TOTP code just like on etrade.

It would be nice if I could edit or otherwise flag that login item so 1Password knows to automatically concatenate the password and the 2FA code for me so I don't forget.

[1] Admittedly, there's a "use security code" checkbox that reveals a 2FA field, but if you've remembered to check that box, you've remembered you need a 2FA code, so that's not really the issue


1Password Version: Not Provided
Extension Version: Not Provided
OS Version: Not Provided

«1

Comments

  • Hey @zcutlip:

    While it isn't currently possible for 1Password to do this automatically in a single fill, it's definitely something we've heard feedback about before. We have an internal issue tracking this request, and while I can't promise anything specifically, I'll add your voice internally!

    Jack

    ref: IDEA-I-702

  • DenalB
    DenalB
    Community Member

    I also created such a request in December 2021:
    https://1password.community/discussion/117820/paste-totp-code-directly-behind-my-password

    And there was another request in August 2019:
    https://1password.community/discussion/106003/special-2fa-on-mailbox-org

    Yes, this is a special case, but it would be great if 1Password could add such a feature. 😎

  • Hi @DenalB! Thanks as always for your comment and this follow-up including those previous requests. I'll be sure to include those details along with the internal issue we're tracking. Have a great day!

  • zcutlip
    zcutlip
    Community Member

    Yep, an edge case for sure, but glad I'm not alone. Thanks for considering!

  • No trouble, we're happy to help.

  • melorama
    melorama
    Community Member
    edited November 2022

    Adding my support to this as well. I dont think this is a "special case" feature at all. I have several sites that I use daily where I find the lack of 1Password field concatenation really annoying (USAA and my OPNsense router admin page are two that immediately come to mind). Its not 1PW's fault of course, as this is a really silly hack method to not have the OTP code as a secondary input field on these login pages, but the reality is, there are sites that insist on doing it this way, and it's a real pain to not be able to auto-fill credentials this way via 1PW.

    I saw a 1PW team member mention (in one of the numerous previous--and now closed--threads about this feature request) that implementing this feature poses a UX challenge, which I can understand. But it seems to me that it doesnt have to be any more complicated than having a special "dynamic password" (or something better named than that!) field type where you can construct fill-in data based on existing fields in the same vault item, using a "tag" based UI.

    For example, here's how a theoretical "dynamic password" field could work, where I can build a single "dynamic" fill-in field by using concatenated "tags" that represent the names of existing fields in the vault item. This way, you could (at best) map the "password" form field entry to the "dynamic password" field for seamless auto-fills, or (at worst) manually copy and paste the contents of dynamic password field into the form. This way at the very least, you wouldnt have to manually copy and paste data from multiple fields every single time you want to login. You'd just have to copy a single field!

  • alwzbkraken
    alwzbkraken
    Community Member

    The sketch by @melorama above looks very usable to me... nice job. As a 1password gui user, I would have no problem with that if the need arose. I wish it was in the app :)

    I'm not so sure this is a corner case. For example, to enable TOTP on some of the most commonly used firewall web GUIs (eg: OPNSense), you concatenate the TOTP and the password for any authentication attempt. If I want to authenticate with the OpenVPN VPN on one of our firewalls, it also takes this structure. Identity platforms like FreeIPA do the same thing. I think you see it even more as an admin user, though some consumer / regular-human sites are doing it too.

    I basically evangelize 1password, btw. Getting people to adopt good security hygiene is really really hard if they don't have a way to manage longer, more complex authentication processes. I'm probably preaching to the choir here :) Anyway, I can tell you that the two companies in our corporate group are using concatenated [TOTP][Password] to authenticate on the firewall gui and VPN at least. An MSP we work with has the same setup internally because we set it up for them. Some of their client sites either have or will-have the same. And a corporate client of ours with ~5,000 employees may have the same thing for some users (admins and managers mostly) in the future.

    So... I also think this would be a good feature. It's not impossible to log into the concatenated-password things without it (especially if you're technical enough to script something yourself), but it would be convenient if there was a way to handle it. Hope you all will consider it, and thanks for making a great product. :)

  • viswiz
    viswiz
    Community Member

    All three corporate firewall clients I've used/still use require a PIN code followed by an OTP. Please add support for this use case, The UI mockup of @melorama seems to be a good way to implement such feature.

  • nufsty
    nufsty
    Community Member

    Adding my vote for this feature. I have the exact same problem with USAA.

  • Joy_1P
    Joy_1P
    1Password Alumni

    Hi @alwzbkraken @viswiz @nufsty! I can definitely understand why this feature would be great to have. I've passed along all your feedback to our developers. Hopefully this will be considered in a future release.

    PB: 31413791

  • neilwalsh
    neilwalsh
    Community Member

    Adding my voice to this. I need to switch between multiple VPNs (OpenVPN) throughout the day and each time requires this password+otp back and forth dance. I've been tracking this issue for a number of years but I must say @melorama mockup above looks like a usable solution and I imagine (as a fellow developer) "fairly" straightforward to build. Obviously this has to be weighed against other priorities but if you're looking for a nice user facing feature that will have a big quality of life improvement for a number of your customers then I'll vote for this!

  • 251empira
    251empira
    Community Member

    Adding my voice to this. I need to switch between multiple VPNs (OpenVPN) throughout the day and each time requires this password+otp back and forth dance.

    same here i almost tried every vpn listed on nuky but nothing works properly

  • Joy_1P
    Joy_1P
    1Password Alumni

    @neilwalsh @251empira thanks for the feedback, I've shared your comments here with our developers.

  • JulesNet
    JulesNet
    Community Member

    +1 for my vote. My Cisco Anyconnect app requires me to enter the password concatenated with a comma followed by the 6 digit OTP so it would have the pattern "${PASSSWORD},${OTP}". I tried searching for a way to do this and I see people have been asking about it for years.

  • @JulesNet thanks for letting me know! I've let our product team know about how this feature would help you with your CiscoAnyconnect app. Although I can't guarantee if or when this change will be implemented, you can visit our releases page to keep up with all of our latest fixes and features: 1Password Releases

  • melorama
    melorama
    Community Member

    Until the 1PW devs add this functionality, here's a hacky way to do it using the 1Password CLI.

  • Thank you for sharing @melorama.

  • btr
    btr
    Community Member
    edited June 2023

    I'm looking for this feature as well since we just switched over to using pin+TOTP for our VPN. I'll give the 1Password CLI trick from @melorama a go, but I hope the feature gets added to the app.

  • Hey @btr,

    Thank you for your input, I have passed your request on to our product team.

    ref: PB34004356

  • melorama
    melorama
    Community Member
    edited July 2023

    This mostly helpful only if you're on macOS, but I created a Keyboard Maestro macro that auto-concatenates the TOTP code with the password, for one-click generation of a valid OPNsense login password.

    https://www.postproductive.tv/2023/07/31/using-1password-cli-to-login-to-opnsense-with-concatenated-otp-codes/

  • melorama
    melorama
    Community Member

    I improved on the Keyboard Maestro macro so that it auto-fills the concatenated OTP+password and clicks on the Submit button all in one fell swoop!

    https://youtu.be/3uF7ZcEXCBY

  • Appreciate your efforts sharing and explaining your workaround @melorama! I've added these to our existing feature requests so the team has some additional context 🙂

    ref: PB-36212574

  • DenalB
    DenalB
    Community Member
    edited October 2023

    I still would be happy if this feature would be implemented. 😉

  • pinskerj
    pinskerj
    Community Member

    me too, for USAA in particular.

  • @DenalB and @pinskerj

    Thank you both for your continued feedback and suggestions. 🙂

    -Dave

    ref: PB-36278719
    ref: PB-36278792

  • mogg851
    mogg851
    Community Member

    Adding my voice for another vote for this feature. I really like the "dynamic password" field that @melorama mocked up.

    I would like to add a request to maintain the OTP/Password/PIN as SEPARATE fields in the 1Password item as there are implementations for example in a domain authentication on different systems within the domain that use the same OTP/password, but not all authentications require the combination in one authentication action. I mention this as I was afraid it would become it's own item "type" in the app which will not work in all cases of authentication with the same credentials.

  • @mogg851

    Thank you for the feedback, I've passed your suggestion along to the team as well. 🙂

    -Dave

    ref: PB-37766300

  • nickcmaynard
    nickcmaynard
    Community Member

    +1 here as well - my employer's "SSO" uses a single "password" field everywhere and requires us to do a weird copy-and-paste dance 10 times a day. It's infuriating, and I'd like 1Password to take that toil away.

  • @nickcmaynard

    I appreciate your thoughts on this and I can see how having this option would be beneficial. I've gone ahead and shared your feedback with our Product team.

    -Tim

    ref: PB-39289456

  • motivio
    motivio
    Community Member

    Please add me to this request. This is drifting more than a year. Any update for the product manager?