1Password filling doesn't work with on-screen keyboard [Virtual keyboards are not supported]

RJS
RJS
Community Member
edited January 2017 in 1Password in the Browser

My primary banking institution requires that I enter my "Personal Access Code" (PAC) by clicking the individual letters/numbers of the PAC on their electronic keypad; see attached image.

I created a PAC using the password generator from 1Password, but when I try to autofill the password into the website nothing happens. Is there anyway to make 1Password work for this type of keypad?


1Password Version: Not Provided
Extension Version: Not Provided
OS Version: Not Provided
Sync Type: Not Provided
Referrer: forum-search:Password must be copied into website; autofill using 1Password doesn't work

Comments

  • Hi @RJS,

    Does it work if you copy/paste into the field? Typically situations like that don't even work for those cases. If it works via copy/paste then there's a chance that we can convince this to work via 1Password's filling.

    This is a very bad security practice on their part. Someone is confusing "making it difficult" with "making it secure." I would recommend that you email the banking institution to complain. The single email won't necessarily cause them to change anything, but we've seen companies change things like this in the past after a number or users emailed in. Add your voice.

    Rick

  • RJS
    RJS
    Community Member

    Thanks for your feedback, Rick. Unfortunately, copy/paste isn't an option; you must use their keypad to enter letters.numbers one at a time.

    I will contact my bank. If you wouldn't mind, what additional information could you provide me to inform them that their keypad is not very secure?

  • rickfillion
    edited January 2017

    That's a shame. :(

    Let me see if I can articulate the problem with this approach. They're very likely doing one or two things here:

    Removing direct keyboard entry support

    You can't type into the field, nor copy/paste into it. They may see it as a security benefit that you cannot directly enter your password because an attacker will also not be able to directly modify the password field to many different combinations. This would dissuade exactly zero true attackers. An attacker worth their salt will instead look at that keypad and find a way to mimic the way that you would enter the password by clicking them. They may have added some protections there to try to slow them down. Slowing down an attacker is a good idea, but only if it's the only path available to them.

    They might be adding math to the password party

    Math when it comes to passwords is great, and part of any good system. But sometimes they take it a little too literally. I've seen a lot of these. Let's say your password is "1234". What you're doing is hitting the keys 1, 2, 3, 4 on the keypad and it's displaying "1234" in the password field. So from your perspective the password is in fact "1234". But from their perspective they may have encoded your password as something else (normal, and a good thing). I'll give you a super super simple example (no one would use something as simple as this, but it should illustrate the point) of how they can take it too literally though. Think of the password keypad as a calculator pad. Between each button click you do on the keypad, the computer adds a "+". As you're entering 1,2,3,4 ... the computer is calculating 1 + 2 + 3 + 4. When you click 4, the last letter in your password, its result is 10. So then the bank could use "10" as your password as opposed to 1234. As long as they do it consistently everywhere, they can store a different password than what you think you have without your knowledge. This would make it impossible for 1Password to automatically fill because 1Password thinks your Password is 1234.

    Doing math with the password isn't wrong. It's how it's done that's usually the issue. An attacker can watch exactly what the webpage is doing while it's doing this kind of math and figure it out really quickly. Once it's figured out, the attacker can mimic the math and keep chugging away with their attack. If the math involved wasn't specifically designed with this purpose in mind, it's adding a negligible amount of strength.

    What they should be doing

    The recommended approach for just about any website is to use something like PBKDF2 which can be thought of as Slow Math. It has the ability to slow down an attacker, as well as having the stored password be different than what you're entering. It's easy to do, and makes the lives of attackers miserable (when properly configured with large iteration counts).

    Disclaimers

    I'm making some assumptions here based on the screenshot you've shown me and assuming that the website that his is from is behaving like other websites I've seen that have similar schemes. It's entirely possible that this website works nothing like what I've described.

    You may have better results with them by asking them to justify these usability gaps and having them describe why they think it's providing you with additional security. If the reasoning provided matches what I've described, feel free to send them what I said.

    I hope this helps.

    Rick

  • RJS
    RJS
    Community Member

    Rick - WOW, thanks for such an informative comment; I really appreciate you taking the time to write it all up, and I will speak with the bank folks, today!

    Thank you!

    Bob

  • You're very welcome.

    Cheers.

    Rick

  • RJS
    RJS
    Community Member

    Thanks, Drew_AG.

    The other issue I'm dealing with is having to use my banks key pad to enter a Personal Access Code. I can live with this, yet wanted to inform my bank that folks from AgileBits apparently believe their system is not very secure.

    Below is my initial post, followed by Rick's informative response. My question: should I inform my bank with the information from Rick, or is there something more I should tell them?

    RJS


    RJS INITIAL POST:

    My primary banking institution requires that I enter my "Personal Access Code" (PAC) by clicking the individual letters/numbers of the PAC on their electronic keypad; see attached image.

    I created a PAC using the password generator from 1Password, but when I try to autofill the password into the website nothing happens. Is there anyway to make 1Password work for this type of keypad?


    RICK'S RESPONSE:

    "Let me see if I can articulate the problem with this approach. They're very likely doing one or two things here:
    _
    Removing direct keyboard entry support

    You can't type into the field, nor copy/paste into it. They may see it as a security benefit that you cannot directly enter your password because an attacker will also not be able to directly modify the password field to many different combinations. This would dissuade exactly zero true attackers. An attacker worth their salt will instead look at that keypad and find a way to mimic the way that you would enter the password by clicking them. They may have added some protections there to try to slow them down. Slowing down an attacker is a good idea, but only if it's the only path available to them.

    They might be adding math to the password party

    Math when it comes to passwords is great, and part of any good system. But sometimes they take it a little too literally. I've seen a lot of these. Let's say your password is "1234". What you're doing is hitting the keys 1, 2, 3, 4 on the keypad and it's displaying "1234" in the password field. So from your perspective the password is in fact "1234". But from their perspective they may have encoded your password as something else (normal, and a good thing). I'll give you a super super simple example (no one would use something as simple as this, but it should illustrate the point) of how they can take it too literally though. Think of the password keypad as a calculator pad. Between each button click you do on the keypad, the computer adds a "+". As you're entering 1,2,3,4 ... the computer is calculating 1 + 2 + 3 + 4. When you click 4, the last letter in your password, its result is 10. So then the bank could use "10" as your password as opposed to 1234. As long as they do it consistently everywhere, they can store a different password than what you think you have without your knowledge. This would make it impossible for 1Password to automatically fill because 1Password thinks your Password is 1234.

    Doing math with the password isn't wrong. It's how it's done that's usually the issue. An attacker can watch exactly what the webpage is doing while it's doing this kind of math and figure it out really quickly. Once it's figured out, the attacker can mimic the math and keep chugging away with their attack. If the math involved wasn't specifically designed with this purpose in mind, it's adding a negligible amount of strength.

    What they should be doing

    The recommended approach for just about any website is to use something like PBKDF2 which can be thought of as Slow Math. It has the ability to slow down an attacker, as well as having the stored password be different than what you're entering. It's easy to do, and makes the lives of attackers miserable (when properly configured with large iteration counts).

    Disclaimers

    I'm making some assumptions here based on the screenshot you've shown me and assuming that the website that his is from is behaving like other websites I've seen that have similar schemes. It's entirely possible that this website works nothing like what I've described.

    You may have better results with them by asking them to justify these usability gaps and having them describe why they think it's providing you with additional security. If the reasoning provided matches what I've described, feel free to send them what I said.

    I hope this helps.

    Rick

  • Drew_AG
    Drew_AG
    1Password Alumni

    Hi @RJS,

    I hope you don't mind, but I moved your latest message over to this forum thread where you originally asked about this (and where Rick answered) so we can avoid getting confused between the two different discussions.

    Below is my initial post, followed by Rick's informative response. My question: should I inform my bank with the information from Rick, or is there something more I should tell them?

    I think your question & Rick's response would be just fine, I can't think of anything else you'd need to include, aside from a brief explanation of why you're contacting them. We'll be interested to hear how it goes! :)

  • RJS
    RJS
    Community Member

    Hi Drew_AG...

    Sounds good, thanks. The bank's online banking department isn't open today because of the holiday, so I'll try and get in touch with them the next couple of days.

    Cheers,

    RJS

  • Hi @RJS - Sounds like a plan. Keep us posted if you have any further questions. We'll be happy to help out.
    Have a fantastic day :-)

  • RJS
    RJS
    Community Member

    Hello Frank (or...?):

    I sent my bank the information you provided me about the banks keypad and entering my PAC; I will let you know when I hear back from them.

    Cheers,

    RJS

  • RJS
    RJS
    Community Member

    Hello...

    Continuing on the same subject as the thread above, below is the response I got from my bank regarding this issue; I copied and pasted what Rick wrote me above, and in my email I noted this sentence from Rick in particular: "_You may have better results with them by asking them to justify these usability gaps and having them describe why they think it's providing you with additional security. If the reasoning provided matches what I've described, feel free to send them what I said."

    Please let me know what you think of the banks response.

    Thank you

    RJS


    RESPONSE FROM THE BANK:

    Thank you for sharing your concerns. It is important to us that our members know their financial and confidential information is safe. I have passed your concerns on to management to evaluate the issue.

    We chose to implement the use of a personalized keypad, as opposed to the “standard” password entry, to prevent the ability of criminals to “spoof” the UltraBranch login page to make it look like it's the real UltraBranch and steal your password. By clicking the on-screen keypad to enter your password, it also prevents the ability to "capture" keystrokes and pick up passwords. If you are concerned about someone seeing which keys you are clicking on-screen, you can also use your keyboard to type the password on most devices.

    Additionally, to reduce the risk of a hacker/scammer deciphering a user’s password, we have programmed the login screen to lock service after three invalid attempts. To unlock their account, the member would have to call us or visit a branch location. This ensures the member is properly identified before their service is restored.

    Alaska USA continually evaluates UltraBranch to provide the highest level of member security. Our design is based off federal recommendations regarding enhanced website security features for financial institutions. We are proud to be able to say that we see very little fraud occur through this channel due to our enhanced security features. Additional information about UltraBranch login security features and how to protect your online account can be found by visiting our website at: alaskausa.org/service/ultrabranch/personalized.asp#how.

    Please let us know if this helps address your concerns. If we can provide additional information or you would like to provide additional feedback, please contact us by replying to this email or calling us at the number provided below.​

  • Hi @RJS - It's great to hear back from you and I appreciate the additional details. It's definitely an interesting response from the bank. Let me check with one of my team members and I'll get right back to you. Thanks again and I'll talk to you soon. :-)

  • It sounds like their justification falls under the "Removing direct keyboard entry support" category I mentioned.

    By clicking the on-screen keypad to enter your password, it also prevents the ability to "capture" keystrokes and pick up passwords.

    Secure text fields (password fields) aren't capture-able by software keyloggers on systems unless the keylogger is running as a root process. But it turns out that if the process is running as root on a system, they can do anything they want anyways and the system itself is completely compromised.

    It's much easier for a piece of software to listen for mouse events (clicks) and take a screenshot of the screen and where the user's cursor's located. These systems are designed with good intentions, but typically misguided.

    As I mentioned, it's unlikely that a single email will change their mind. Hopefully eventually they receive other complaints and that they start listening.

    Rick

  • RJS
    RJS
    Community Member

    Rick - thanks for your reply, and additional information.

    I would like to continue pressing my bank on this issue, as overall their service has been very good for the ~20 years I've had accounts with them. That said, I would understand if you (or others on the support team) don't believe it's worth pursuing.

    So, please let me know what you think we should do, if anything. Your most recent response is quite technical (at least to me!), yet I'd be happy to forward that to the bank, if you think your statements are what they should consider; or, would you prefer to write it in a different manner?

    Also, I'd be happy to ask the bank security folks if they would be willing to communicate directly with you ... is that an option you'd like to explore?

    Thanks again,

    RJS

  • @RJS -

    We'd be happy to talk to anyone at the bank if you'd like to send them our way. I'm not sure that they'll want to talk to us, but you can feel free to point them to support@1password.com.

    I was just talking to Jamie here about your issues. Jamie heads up our form filling code, and he's curious to see this form to see what we could do. I'm going to work with him to get this information based on the URL you sent me on that other thread. I was under the impression that there was no chance of us being able to do anything, but he tells me that in certain circumstances we're able to deal with these.

    Rick

  • jxpx777
    jxpx777
    1Password Alumni

    Hey, @RJS. @rickfillion asked me to take a look at this since I do most of my work on the browser extensions. This site is pretty challenging. Here's what I found.

    The keyboard itself is one big image:

    <img src="https://ubauth3.alaskausa.org/BoardImage?session=2183138396160939485" alt="please wait..." name="SafeLogin_Keypad" title="" usemap="#SMA_BoardMap" style="border:none">
    

    So, this keyboard would be inaccessible to someone that doesn't read English or to anyone with visual impairments that rely on screen reading technologies such as macOS's VoiceOver. It's not recommended to have text inside images because they can't be localized and they can't be read by screen readers. They also take up more space. An image with the text Enter will require a bigger amount of data than a button with background and the text "Enter" on it.

    Accessibility is a really important aspect of making computer systems usable for every person regardless of their physical limitations. Apple has a great page about accessibility here: http://www.apple.com/accessibility/ But because the text that you can see on the page is in images and the alt text is not properly set, users with visual impairments will have considerable difficulties interacting with this PAC keyboard. I tested this with VoiceOver and here is what I found:

    As you can see, the VoiceOver interpretation of the "5" key, VoiceOver will read this as only indicating that you're on a link inside an image map but it doesn't say what the purpose is. This would be read out loud to a visually impaired user and they would have no other information about what they are being asked to do.

    Moreover, the "password" field is not even a password field at all but a series of images like this:

    <div id="SafeLogin_Cage" style="position:relative;width:390px;height:268px;z-index:0;">
    
        <!-- 
            snipped by jxpx777 for brevity
        -->
    
        <!-- Asterisks positioning -->
        <img id="SMA_asterisk_0" src="https://ubauth3.alaskausa.org/Image/2237520305628190104/asterisk.gif" style="position:absolute;left:129px;top:21px;visibility:hidden;" alt="please wait...">
        <img id="SMA_asterisk_1" src="https://ubauth3.alaskausa.org/Image/2237520305628190104/asterisk.gif" style="position:absolute;left:143px;top:21px;visibility:hidden;" alt="please wait...">
        <img id="SMA_asterisk_2" src="https://ubauth3.alaskausa.org/Image/2237520305628190104/asterisk.gif" style="position:absolute;left:157px;top:21px;visibility:hidden;" alt="please wait...">
        <img id="SMA_asterisk_3" src="https://ubauth3.alaskausa.org/Image/2237520305628190104/asterisk.gif" style="position:absolute;left:171px;top:21px;visibility:hidden;" alt="please wait...">
        <img id="SMA_asterisk_4" src="https://ubauth3.alaskausa.org/Image/2237520305628190104/asterisk.gif" style="position:absolute;left:185px;top:21px;visibility:hidden;" alt="please wait...">
        <img id="SMA_asterisk_5" src="https://ubauth3.alaskausa.org/Image/2237520305628190104/asterisk.gif" style="position:absolute;left:199px;top:21px;visibility:hidden;" alt="please wait...">
        <img id="SMA_asterisk_6" src="https://ubauth3.alaskausa.org/Image/2237520305628190104/asterisk.gif" style="position:absolute;left:213px;top:21px;visibility:hidden;" alt="please wait...">
        <img id="SMA_asterisk_7" src="https://ubauth3.alaskausa.org/Image/2237520305628190104/asterisk.gif" style="position:absolute;left:227px;top:21px;visibility:hidden;" alt="please wait...">
        <img id="SMA_asterisk_8" src="https://ubauth3.alaskausa.org/Image/2237520305628190104/asterisk.gif" style="position:absolute;left:241px;top:21px;visibility:hidden;" alt="please wait...">
        <img id="SMA_asterisk_9" src="https://ubauth3.alaskausa.org/Image/2237520305628190104/asterisk.gif" style="position:absolute;left:255px;top:21px;visibility:hidden;" alt="please wait...">
        <img id="SMA_asterisk_10" src="https://ubauth3.alaskausa.org/Image/2237520305628190104/asterisk.gif" style="position:absolute;left:269px;top:21px;visibility:hidden;" alt="please wait...">
        <img id="SMA_asterisk_11" src="https://ubauth3.alaskausa.org/Image/2237520305628190104/asterisk.gif" style="position:absolute;left:283px;top:21px;visibility:hidden;" alt="please wait...">
        <!-- End Asterisks -->
    

    As a result, 1Password can't fill in this form for you because there's no password field. 1Password explicitly avoids hidden fields as well since these are most often related to the internal workings of the form and are not appropriate for 1Password to attempt to fill.

    If I had one recommendation to the bank that you could send to them it would be to ask them to do some real usability testing with visually impaired users and see how difficult they are making it to use their site. It's a bonus that sites that are readily accessible also tend to be more amenable to 1Password filling, but whether the customer is using 1Password, another password manager, or no password manager, the site should be accessible to all customers regardless of their physical limitations.

    I hope that helps explain the situation a bit and gives you some more concrete information to send to the internet banking support folks.

    --
    Jamie Phelps
    Code Wrangler @ AgileBits
    Fort Worth, Texas

  • RJS
    RJS
    Community Member

    Hello Jamie, Rick, and Frank:

    I must say, I've never received such thorough, prompt, and informative customer service -- you guys rock!

    I will get in touch with my bank again, and encourage them to contact you guys to further this discussion. I'm not optimistic they will, but we'll see. Rick suggested that I tell the bank to contact you at support@1password.com ... should I have them mention the title of this issue (i.e., "1Password filling doesn't work with on-screen keyboard"), or anything else such that one of you that have been involved will be contacted? I ask because you've invested lots of time, and I wouldn't want someone else in your group to start over from scratch.

    Thanks again!

    RJS

  • AGAlumB
    AGAlumB
    1Password Alumni
    edited January 2017

    @RJS: Thanks for the kind words, on behalf of Rick, Jamie, and everyone else here at AgileBits! We really love what we do, and we're lucky to have awesome customers like you who support us so we can keep doing it. So you can thank yourself too! ;)

    Linking to this discussion would help, but so long as it's directed to Rick and/or Jamie, we can direct it properly.

    Also, I apologize if it's been mentioned here already and I missed it, but I wanted to mention what for me is the biggest takeaway in situations like this: As a user, when a company makes it more difficult (or impossible) to use 1Password to fill a long, strong, unique password, that really incentivizes me to use a weak one I can type (or, in this case, click) easily*, and that's not good for anyone. They don't have to promote 1Password; there are other password managers out there. But they can promote better security and offer a better user experience by allowing us to use software to fill awesome login credentials. Otherwise even more folks are going to use "monkey123!" as their password, because it's easy, and that's also a liability for them, since they'll be the ones getting the phone calls when their customers' accounts are compromised. Food for thought.

    *Honestly, it incentivizes me to stop doing business with them too, but of course it isn't always that easy.

  • RJS
    RJS
    Community Member

    Hi Brenty...

    I completely agree on what you have indicated is the biggest takeaway from this situation, and I told the bank of that concern when I contacted them this morning and requested they contact 1Password. Hopefully they will contact you, and if they don't, I'll let you know of their response, such that we can end this discussion.

    Again, thanks for your support!

    RJS

    P.S. Being new to 1Password, and still learning the basics. I've read through some of the user tips provided by agilebits (thanks!), yet can't figure out how to get the 1Password toolbar to show up. That is, when I'm on my browser, the attached screenshot is all I see; how do I get to all the other features of 1Password? Sorry - I should have started a new thread with this question!

  • Hi @RJS - Great question and I'll be happy to help out.

    You will need to install one of our apps. Since you signed up for a 1Password.com account, all of our apps are available to you since it's built into the pricing - Windows, Mac, iOS, and Android. You can find them by logging into your 1Password.com account > Click on the Account name in the upper right hand side > Select "Get the Apps" from the drop down menu. I will also include a helpful link below -

    https://support.1password.com/1password-setup/#set-up-the-apps

    Let us know if you have any questions, we'll be happy to help out :-) Have a fantastic day!

  • RJS
    RJS
    Community Member

    Hi Frank - Ahhh, that's the trick. Cool - now I'll start installing the apps, and go from there.

    Thank you!

    RJS

  • Sounds like a plan to me :-) Keep us posted if you run into any questions along the way.

  • RJS
    RJS
    Community Member

    I wanted to share the response from my bank, following my comment that was consistent with Brenty's "biggest takeaway" message; see below.

    Also, note that one of the security features on the website mentioned in their response is the following:

    "When you enter your PAC by clicking the on-screen keypad, malicious software that may be installed on your computer cannot "capture" your password. If you choose to use your keyboard to type your PAC, protection from keystroke capture is not available."

    Thanks again!

    RJS

    _"We do not currently use two-factor authentication, but do have plans to implement this additional security enhancement in the future. Our current security design, with the keypad and personalized image, is based off federal recommendations regarding enhanced website security features for financial institutions.

    We are proud to be able to say that we see very little fraud occur through this channel with the current security features. Additional information about UltraBranch login security features and how to protect your online account can be found by visiting our website at: alaskausa.org/service/ultrabranch/personalized.

    Your concerns have been forwarded.

    If you have additional questions, please reply to this email or call the Member Service Center"__

  • AGAlumB
    AGAlumB
    1Password Alumni
    edited January 2017

    @RJS: I really appreciate you following up with this update. Hopefully they'll get in touch. :)

    The thing to keep in mind is that if someone is able to log your keystrokes, they could just as easily take screenshots or record video to "capture" what you're clicking to enter the "PAC", so the onscreen keypad really only protects from the least capable bad actors — and really at that point you probably have bigger problems anyway, what with someone other than you being able to control your computer. I appreciate what they're trying to do, but it just doesn't offer any practical security benefit, while at the same time encouraging their customers to either use weak passwords or go through the arduous process of manually entering strong ones.

    There is perhaps hope though, as I have seen companies change over the years in response to customer feedback...but of course this is a slow process. All we can do as security-conscious users is keep pushing them to improve. :blush:

  • jxpx777
    jxpx777
    1Password Alumni

    And actually, they don't even need to record video of your clicks. By injecting Javascript, they can capture just the image that is shown to you and then the coordinates of the clicks inside that image and send that information off to a remote server. Much lighter weight than sending video.

    But, I would really like to see them get a blind user to try to use this sign in process. It's entirely unusable. Perhaps they have disagreements with us on what constitutes good security, but they can't disagree with a user that literally can't sign in to their account because their site is deliberately obtuse.

  • AGAlumB
    AGAlumB
    1Password Alumni

    @RJS: Jamie is right, and I think that the sad fact that I forgot this illustrates how I and those in charge of sites like this who aren't visually impaired neglect to consider the impact that these design decisions have on millions of people who simply won't be able to use it at all as a result, regardless of any security considerations. :(

  • RJS
    RJS
    Community Member

    Gentlemen,

    Again, your insights are impressive; thank you.

    Yesterday I received a response to my last message to the bank; see below... they have an active project to remove the keypad! So, I thanked them for that good news, and my suggestion is for me to wait and see what their new system looks like. Sound good to you?

    Cheers,

    RJS

    "Thank you for your emails and also your inquiry. For our PAC screen we do have it designed to prevent any third party software from attempting to gain access of our members account, this includes any applications that our members use to store or keep track of passwords, like 1Password. However we do have an active project to remove the keypad and allow more complex passwords, the scheduled completion in the third quarter of this year."

  • jxpx777
    jxpx777
    1Password Alumni
    edited February 2017

    Hah… apparently, our forum software can't handle posts that are only emoji? Edit: Apparently it can't handle emoji at all… 

    Well, :hands raised in celebration: :party popper:

This discussion has been closed.