1Password extension can break AWS console login flow
When using the 1Password extension on the AWS console with an AWS account that has both virtual MFA (TOTP) and a FIDO security key enabled as MFA, and the TOTP secret is stored in 1P, the extension can break the login flow.
To reproduce, you will need an AWS user account whose MFA devices you can control, as well as a FIDO security key such as a Yubikey.
- Log in to your account.
- View your account's security credentials, which should be available here.
- Ensure that you have one "Virtual" TOTP MFA device, with its secret saved in 1Password. You may need to "Assign MFA device" to create a new one.
- Ensure that you have one "Security key" MFA device associated with your FIDO security key. You may need to "Assign MFA device" to create a new one.
- Log out.
- Start the login process again, entering your password. When you reach the MFA step:
6a. If you see the "Select a method to authenticate with" page, select "Authenticator app or a hardware TOTP MFA device" and the "Remember this method" checkbox, then go to step 7. Otherwise, go to step 6b.
6b. If you see a security key prompt from your browser, cancel it, select "Try another MFA method," and go to step 6a. Otherwise, go to step 6c.
- You should see "Enter an MFA code to complete sign-in," and 1Password should have already autofilled it. Click "Submit" to log in.
- You should now be logged in. Log out again.
- Start the login process again, entering your password.
- You should once again see "Enter an MFA code to complete sign-in." Click "Try another MFA method," select "Security key," and click "Next."
- Observe that the page does nothing when you click "Next." This is the bug that I believe is caused by 1Password's autofilling of the TOTP MFA code.
To show that it's something to do with the 1Password extension, try the following:
- Restart the login attempt by opening https://console.aws.amazon.com/ in a new tab.
- For this new login attempt, don't use autofill. Instead, manually copy and paste the three needed fields (account ID or alias, IAM user name, and password) from 1Password into the form and click "Sign In" to proceed to MFA.
- As before, click "Try another MFA method," select "Security key," and click "Next."
- Observe that the page now navigates to the FIDO page and the browser immediately prompts the user to connect their security key, as expected.
It's possible this is AWS's fault, but given how slowly they move, it's probably on 1Password to fix it regardless.