Using 1Password with other browsers

d9a
d9a
Community Member
in Android

1Password for Android currently embeds a list of known browser apps that it will support autofilling logins for. The list is quite small, with many popular browsers still unrecognized despite years of requests from users to add Chromium/Fennec/Bromite/Kiwi/etc to the list. The reasoning that's typically given for this is that the 1Password folks carefully vet each supported browser for compatibility and security before allowing it, which understandably takes a lot of time. However, some browsers, like Chromium or Fennec, are functionally identical to supported variants as far as a password manager is concerned and would work perfectly with zero code changes required, but remain blocked just because they have a different package name. In some cases, users have no supported browsers available at all.

This limitation inevitably leads users to have to link their browser app with each individual login they use, and then having to manually scroll through the entire list to find the login for the page they're on. In addition to being incredibly tedious, frustrating, and error-prone (like filling a credential for the wrong site without realizing you mis-tapped), this is also bad for security, because the user loses the phishing protections that autofill offers against things like lookalike domains. The issue also disproportionately affects users who place a high value on their privacy, since many of these unsupported browsers are essentially "[popular browser] with tracking removed," meaning that 1Password is effectively forcing users to choose between privacy and security, actively preventing them from having both. I hope it's clear why this is a bad thing.

1Password used to be better about allowing flexibility in situations like this. In old threads, you'd occasionally see references to a help article about bypassing a similar restriction in the desktop app. Unfortunately, that URL now redirects to a much less helpful page that doesn't even address the original issue directly. Telling users to simply stop using their primary browser is not a strategy that's likely to win over many hearts. Other users are even using an officially supported browser, but with local modifications, and are locked out "for their own safety" because the signature doesn't match, essentially being told that 1Password is simply not an option for them. I'm unclear if 1Password for Android also enforces signature verification for trusted browsers or just uses the package name, but I fear it may be the former.

In an ideal world, 1Password would have the resources to fully vet every browser people want to use, and this problem would be limited to just the extreme edge cases, like developers or power users who compile their browser from source. But in a world of finite resources, there's another obvious solution: just let users add trusted browsers themselves, at their own peril. I've been very careful to avoid using the word "support" here, because I fully expect that such a feature would be explicitly unsupported, and I would even encourage the use of a scary warning message about the risks involved. Believe me, I understand what can happen if a malicious or even just insecure browser was able to fetch logins from 1Password, and I totally get the desire to offer users some protection against that risk. But while a trusted list of known-working, known-safe browsers is a valuable thing to have, it shouldn't be a hard limitation that prevents people from using 1Password entirely. If I trust the browser I'm using, that's all that ultimately matters.

I also don't think that offering this option would constitute a meaningful reduction in security. For years, users in this situation have had to resort to linking their browser app with every login they want to use in a browser, which I suspect for most users is going to be most logins. This means that browser app has the ability to fill logins from (nearly) any site, putting it right back into the same position as an app that 1Password recognizes as a browser. While I unfortunately can't confirm anything myself without access to 1Password's source code, that sure sounds to me like an awfully similar risk profile to interoperating with an untrusted browser, with the biggest difference being an enormous increase in the effort required on the user's part, both to set it up and to use it on an ongoing basis. In theory users could limit this linking to only a handful of logins, but in reality that's almost certainly not the case. Users ARE using this workaround today, and since there's no explicit messaging around "apps that look like a browser but are untrusted," some may not even realize that the reason 1Password's UX is so bad on a phone is because of the browser they're using. For those that do know the reason, a support article telling them to go download Chrome does nothing to help them. Giving them an option to tell 1Password "treat the following app as a browser" does.

In summary:

  • 1Password refuses to interoperate with countless browsers that would otherwise be fully compatible
  • At best, this is unkind to users and hostile to privacy
  • At worst, this restriction opens up users to easily preventable phishing attacks
  • Users should be able to add their own manually-approved browsers to 1Password's list
  • This would resolve years of complaints from users, and has the potential to improve their security over the current state of affairs when used properly
  • Use of this new feature should still be discouraged, but that doesn't mean it shouldn't exist

1Password Version: Not Provided
Extension Version: Not Provided
OS Version: Not Provided
Browser: Not Provided

Comments

  • BrendanR1P
    BrendanR1P

    Hi @d9a,

    From testing Fennec, Bromite, Cromite, Kiwi and Via browsers on my own device, since the latest release of 1Password for Android - version 8.10.32, this issue no longer seems to be occurring, with 1Password now showing the suggestions for the website that is opened in any of these browsers, rather than 1Password offering the browser itself as the autofill suggestion.

    Would this be the same behaviour you now see when trying to autofill websites in any of these browsers?

    -- Brendan

  • d9a
    d9a
    Community Member

    @BrendanR1P your comment brought an interesting issue to my attention, because my fully-up-to-date 1Password app is at version 7.9.4. Apparently at some point the package name got changed from com.agilebits.onepassword to com.onepassword.android, although the display name is the same for both. Here I thought 1Password's Android app was impressively stable compared to its counterparts on other platforms, but I actually just haven't been getting updates for almost two years.

    From a quick look at the ratings on the Google Play Store, it looks like folks have been enjoying all the updates I've been missing out on about as much as people enjoyed trying to use 1Password 8 on the desktop. I'm not aware of a way to view historical app ratings over time, so I can't tell if this is because of a recently-introduced problem or just a general sentiment, but if making the switch would mean I can use my password manager with my phone's default browser, I might have to take some fresh backups and then give it a shot.

    Either way, now that I'm aware of the discrepancy, I believe 1Password 7 is considered EOL at this point, and as disappointing as that may be, I don't expect to get support for an unsupported version.

  • Dave_1P
    Dave_1P

    @d9a

    Thanks for that additional detail. With the launch of 1Password 8 for Android, 1Password 7 for Android is indeed no longer supported. You can find our guide on how to upgrade here:

    Let me know if you run into any issues. 🙂

    -Dave

This discussion has been closed.