On the latest iOS app, I see an option to setup 2FA authentication codes using 1Password, see screenshot.
How exactly is toss feature used?
I've been using Authy for several years, I was not aware that iOS even offered this option now. I realize this is an Authy question but I've chosen Authy currently but I don't see it kicking in, how does this work?
Hello @shhh! 👋
This is a new iOS feature that I believe we're started testing with the latest beta version of 1Password for iOS. It allows you to ingest TOTP seeds so that you can easily setup two-factor authentication for the apps that you use on your iPhone or iPad.
So, for example, if you try to setup two-factor authentication for an account via an iOS app on your iPhone, and 1Password is enabled for the "Setup Verification Codes Using..." feature, Password AutoFill should offer to save your one-time password in 1Password without you having to scan a QR code or save the secret manually.
I hope that helps! 🙂
@Dave_1P How can I take this for a spin? And I am guessing this works only on Safari browser on iOS? I use Firefox so I am out of luck?
You should be able to use it with any site that produces an otpauth:// url for their 2FA enrollment.
I went to a site and signed up for 2FA. Change iOS Settings > Password > Options to choose 1Password to generate verification codes. It produced the usual page with a QR code and the corresponding alphanumeric key and a text box to enter the generated TOTP code. The iOS Safari extension did not appear to recognize any of these elements. In contrast, the browser add-on Scan QR code feature is such a pleasant experience.
Am I missing something?
You're not missing anything, that's not how that OS feature works. If you had an otpauth:// url on that page, or extracted it from the QR code and you tried to load that url, that would've bounced you over to the iOS app and it would have let you pick an item to attach it to (or create a new item to contain it).
I'm still not sure I understand. I opened this page in iOS Safari but the otpauth:// link you provided is NOT clickable. Should it be?
Besides, I have NEVER seen a "raw" otpauth:// URL on any 2FA sign up flow. Sites provide a QR code and/or the alphanumeric code that represents the TOTP seed.
Even when I go to your test page at https://fill.dev/form/registration-2fa in Safari, I do not see the 1Password extension kicking in.
It seems to not actually be clickable, but if you copy it and paste&go in Safari's url bar then it'll do the expected behavior (ask if you want to open it in 1Password). The iOS Settings -> Passwords -> Options path doesn't have anything to do with the Safari extension, it is solely telling the OS that the main iOS application can handle being provided an otpauth:// url. I'm not sure if Apple's intent there is to have sites displaying those directly going forward or not, but it's not generally applicable when a QR code or the OTP secret is on that device's screen. It's possibly helpful if you're using the iOS device's camera to open a QR code's url from another device or paper or something.
Hmm when I tried again I do see that the link is clickable on this page but when I click it in get an error
I'm not sure if you are a 1Password team member and I realize this is beta software but I'm still unclear on what the user experience here should be. What was the intent 1Password had when the app was enhanced to add 1Password as an option on the iOS Settings Password Options? As I mentioned, the desktop experience provided by the Scan QR code feature is superb. I just don't understand how the iOS feature provides that functionality. Are you expecting users to copy paste otpauth URLs manually?!
I think the purpose of this iOS platform feature is two-fold: it both allows induction of codes (as @rudy describes) and auto-fills codes when needed. Rather, this is how the feature is supposed to work. For example, this article shows how it functions using iCloud Keychain: https://tidbits.com/2021/10/07/add-two-factor-codes-to-password-entries-in-ios-15-ipados-15-and-safari-15/. See this screenshot from the article:
If 1Password fully supports this feature, the benefit is not with websites. As @shhh says, the 1Password browser extension already does a fabulous job with that. The real win would be when logging into apps: iOS would offer the OTP in that strip above the software keyboard, pulled from 1Password. In other words, we wouldn't need to use the "copy OTP to clipboard" feature of 1Password anymore.
I hope the team is working on full support for this feature, because it is in my book the only "less than perfect" aspect of filling passwords in an app. Don't get me wrong: I am grateful for the cleverness of the "copy OTP to clipboard" feature. Filling OTPs with the platform "verification codes" feature, however, would just smooth out the user experience.
The "Setup Verification Codes Using..." feature is handled by iOS Password AutoFill. If an iOS app offers you an otpauth:// link and you open it, then iOS will pass the TOTP secret in that otpauth:// link to the authenticator app that you've selected for the feature. If that authenticator app is 1Password then you'll be given the chance to save the secret in 1Password.
For example, if you enable two-factor authentication (2FA) for your Twitter account using the Twitter iOS app, you'll see a button in the Twitter app called "Link app". If you tap on that button iOS will open 1Password so that you can save your 2FA one-time password for Twitter in 1Password.
This feature doesn't work with QR codes and if you're being offered a QR code (and not an otpauth:// link) when you enable two-factor authentication for a website then I suggest that you scan it using the "Scan QR Code" feature built into 1Password for Safari on iOS: Get to know 1Password for Safari on your iPhone or iPad
Let me know if you have any questions. 🙂
@Dave_1P Did you see my previous comment? When I tap on the otpauth:// link, I get an error, it does NOT open 1Password, which is what I have selected in iOS Settings > Passwords > Setup verification codes using ....
The otpauth:// link that Rudy posted was just an example. Try copying and pasting the link into Safari's address bar.
Do you have an actual app that is offering you an otpauth:// link that you're trying to use the feature with?
Copying and pasting Rudy's link into Safari's address bar gave the same error so I am guessing the link is invalid.
I do not have an actual app at this time, I am just trying to understand how to use the feature. As I mentioned earlier, even when I go to your test page at https://fill.dev/form/registration-2fa in Safari, I do not see the 1Password extension kicking in. The otpauth:// link on that page is not clickable and I am unable to copy/paste it either.
Ah I see the issue. For some reason, Rudy's link above has the word denied: in front of otpauth:// which makes it invalid. When I remove that, it works fine. When I paste it in Safari, it asks to open in 1Password and presents a list of all Login items to search. When I pick an item, it pastes the seed into the one-time password field to generate the TOTP codes going forward.
This assumes that a Login item already exists for the site. If it does not, then I do not get that Scan QR code option
I'm glad that you got it working and I'm sorry for the confusion. 🙂
Yes, you'll need to have first saved a Login item for a website in 1Password before you see the "Scan QR Code" option when using 1Password for Safari since 2FA one-time passwords are an additional factor and require that you already have the primary factor (the website's password) saved in 1Password.
@Dave_1P Well, I might have chosen to skip saving the item in 1Password on the login/password page but when I see the QR code I want to change my mind and save the item. I realize that the username/password is no longer available to 1Password but it could offer to create a new item with just the QR code and leave it to me to add the username/password later.
Thank you for the suggestion! I can definitely see how 1Password in the browser detecting and offering to save one-time passwords for a website, even if you don't already have an existing Login item, would be useful and I've passed your request along to the product team.