Feature request: smart login creation and updating

rjohnson

I have used several web sites that collect login information for a bunch of my financial sites and give me one place to view all my financial information. The interesting thing they all do is 1) ask for what institution I'm connecting to (Wells Fargo, BofA, etc), 2) what my username and password is. It then knows how to login and get that info. (Some of them also then provide a simple way to login.)

Basically these guys know how to login into common sites used by many thousands of people. My request is that 1Password step up it's game and add this level of intelligence to the system.

For example, if I wanted to create a login for Facebook. I would select something like "create new smart login". It would ask me to choose between hundreds of common services. It would ask for username and password, etc. It would then auto create a login card for that site.

However, and this is the kicker - you would auto update the card if Facebook (or any site) changed the way you login. It is a constant thing for me to go fix login cards for sites that just had to update there UI and moved things around. I think this would be massively valuable for those sites that have multi-step login processes (like many banks and brokerage sites).

This would really set you apart from every other password app out there as well.

Ray

---

1Password Version: Not Provided
Extension Version: Not Provided
OS Version: Not Provided
Sync Type: Not Provided

AGAlumB

@rjohnson: Okay, I haven't seen this brought up before, but that's a really interest point — infeasible in the case of 1Password (more on that below), but I'll have to eat my humble pie for a minute here.

You're absolutely right. In spite of the hard time I often give the financial industry on account of their terrible security practices — "secret questions", SMS authentication, inaccessible website designs, filling and paste prevention, password restrictions, and much more — they're actually doing pretty well when it comes to integration. Granted, at least once a month one of my accounts can't be accessed at all in Mint or Personal Capital for a week or more, which really screws me up a bit, but for the most part this stuff just works.

Now, I don't have any real insight into how all of that is handled, but as far as what it would take for 1Password to do something similar, there are two major obstacles:

1. Standards. There are well-defined standards for login forms, but many, many sites seem to ignore these completely. Otherwise login filling would just work everywhere. As far as I know, no such standard exists for things like changing passwords, but given that login form standards are not followed I wouldn't expect these to be either. If you've ever not had 1Password offer to update a login for you when you changed the password on the site, you'll have an idea of how much of a struggle this is already.
2. Scale. There are a limited number of financial sites out there, but many, many more other websites — with others popping up every day. So while we could take a "top 1000"* approach to this (more on that below), that's still a lot of sites which would need to be constantly updated with regard to both the URL ("easy") and how the form itself is setup ("hard").

*Regarding the "smart login" suggestion, 1Password for iOS already does something very similar to this with it's new login creation. We've got general templates for a "top 1000" sites, which you can use to enter your username and password and automatically get a basic login for the site with a nice icon. It's something I hope we can do more with in the future.

We have people who almost exclusively work on improving the browser extensions, and often this means per-site fixes. It's a bit like Whack-A-Mole™. And if we went this route, we'd have to hire a bunch of people whose only job would be to constantly test and update website profiles, based on how many sites we want to target. And when we have people waiting for replies in the forums or via email, it feels more important to add team members to help our customers directly, especially when password changes are not common. Once you have a long, strong, unique password for a website, the only reason to change it is if it becomes compromised. So our focus currently is on customer service and improving login filling, since that benefits a the greatest number of people.

That said, I really love this idea, and hope that something like this is possible one day, if nothing better comes along before then. Thanks for bringing this up! :)

rjohnson

Thanks for the thoughtful reply!

I certainly understand the obstacles. Particularly around standards. Even if you wrote a RFC it would go no where unless Google, Apple and Microsoft bought into them... Maybe one day...

As far as scale - one thought would be to do something in a more community supported way. I.e. user could create formulas for login card creation for popular sites and then submit them. Others could "test" them to make sure they work and accept or reject them. Ones accepted by a few folks could become available for all. Perhaps they get credit for creating it, or folks get badges for creating the most accepted ones (and then require less approvals as they become trusted.)

Basically use the masses of the community to do that work. It is the only way you would get to the long tail of sites anyway. You could even support the top 1000 with fewer "employee" resources.

My feeling is it is also a great way to get users yet more vested into 1Password. I mean you have a lot of fans now but they become even bigger fans if they are a part of what makes it great! (Plus you might get many folks who are 1Password users who work at various web sites that might ensure a new formula works for their company web site the day it changes!)

Ray

jxpx777

Thanks a lot for your thoughts and passion here, Ray! This is really interesting stuff. As a general rule, 1Password is allergic to asking users to share their data with us, even on an opt-in basis. We just don't want to put ourselves into a position to know more about you than is absolutely critical for us to provide the functionality that we do. Even if we have information that a given user was active on a given site at a given date and time could be problematic for a user in the right/wrong circumstances. The best way for us to protect users' privacy is to not have that data.

That being said, I think this is really interesting, and we on the extensions team have been kicking around some crazy ideas that have a lot in common with what you're describing without being identical. Right now, these are at the skunkworks sort of level, so I can't say when or even if they'll see the light of day. But being able to have 1Password adapt to the shifting landscape of sign in forms and flows is something we are very interested in.

--
Jamie Phelps
Code Wrangler @ AgileBits
Fort Worth, Texas