Not offer to save logins for RSA SecurID web pages or incorporate SecurID in your apps

Hi,
Many pages I log into support RSA SecurID. Sometimes the input type is "passcode", other times you can only go by the label that says "passcode". Either way, it would be nice if the Browser Extensions recognized these pages and offered to not save them.

Alternatively, I'd like to see 1Password work with RSA to incorporate RSA SecurID into the all the 1Password apps so that all apps can act as a token. RSA has a partner program in place to do just this. It would require better time coordination between apps to ensure they are sync'd properly so as to generate the same unique codes. (Not insurmountable)

If you need a contact at RSA (I used to work there) let me know.

Thanks,
mike


1Password Version: 5.3
Extension Version: 4.4.3 B2
OS Version: OSX El Capitan
Sync Type: iCloud

Comments

  • littlebobbytables
    littlebobbytables
    1Password Alumni

    Hi @mikefoley,

    At the moment the best option would be to work with our exclusion list associated with the Automatically ask to save new Logins. The easiest way of doing so is probably on a per site basis where when the dialog for saving pops up on a site you don't want it to save you click the cog icon in the bottom left hand corner of the dialog and select the Never Autosave for this site option as you can see below.

    Now the issue of recognising sites using this is I'm assuming they're using standard HTML input fields of the password type. After that there are no standards being enforced meaning any reliance on the name or ID attribute could easily cause false positives. I can certainly ask but I suspect we'd rather allow our users to manage their own blacklist rather than cause any confusion over why don't seem to offer to save on site X for no apparent reason.

    I have to confess, I don't know much about RSA SecurID. Based on the quick scan I did is it quite similar in concept to RFC 6238 as also used by Google Authenticator?

  • mikefoley
    mikefoley
    Community Member

    Yes, standard HTML fields are used in most cases with the label being "Passcode".

    SecurID may look like a Google Authenticator but it's not. It's a time based token. The hardware fob has a battery and a clock and is loaded with a "seed" record at the factory. It will change the code ever xx seconds. The software token, not unlike a Google authenticator, is provisioned on the server and pushed to the user and opened in the token application. Because the RSA token is dependent on a clock, you have to worry about clock skew if you use the same seed record on multiple devices.

    More info at the Wikipedia page: https://en.wikipedia.org/wiki/RSA_SecurID

    SecurID is more of an Enterprise-level solution. Google Auth is Consumer and above.

    BTW, when will we get automatic Google Auth code filled into a web page rather than having to copy/paste? :)

  • littlebobbytables
    littlebobbytables
    1Password Alumni

    Hi @mikefoley,

    I've created a feature request for support of the RSA SecurID which I think would come via their RSA SecurID Mobile SDK. I don't imagine clock skew will be an issue given RFC 6238 is time based too. Thankfully most people do leave their machines and mobile devices set up to synchronise their clocks.

    ref: OPI-2899

    We are working on having the TOTP code be fillable but I can't say when this might happen. We do realise that people want it and it isn't just our customers - we all want to fill in the TOTP code too rather than being limited to copy and paste. I'm not sure how we will attempt to ignore TOTP forms as I'd be concerned simply ignoring anything titled passcode would lead to false positives. Whilst maybe annoying, the user configurable black list means it can easily be edited by yourself at the moment. That's a tricky one given how much variety we see in the designs of sites out there.

  • mikefoley
    mikefoley
    Community Member
    edited August 2015

    Thanks for the FR. If you need a contact at RSA, let me know.

    RE: TOTP and Passcode

    Have you looked into bringing up, on a per-page basis, a list of fields and allowing me to say "Put the code from into ? Essentially white-listing the page with a higher level of matching field with value? If you had SecurID or Google token built in then you leave it up to me to decide where the TOTP code should go rather than guessing?

    This could extend to other pages as well that I'd like to see automatically filled. And maybe have the extension offer to fill them rather than me explicitly clicking the button and selecting what to fill?

  • littlebobbytables
    littlebobbytables
    1Password Alumni

    Hi @mikefoley,

    I'm not sure what the devs have considered or considered and discarded in this particular case. I'm waiting to find out just like you and all of are other users :smile:

This discussion has been closed.