Login with 1Password option
As a developer (box office ticketing as a subset of ecommerce), I want people using websites based on the system that I build to have as simple and pleasant an experience as possible. One point of friction - especially for mobile checkout - is requiring someone to create password. I use 1Password myself, and even with 1Password I find having to create a new password on Firefox/Android seriously annoying: I believe that it's down to what the OS and browser security models will let you do, which is fair enough, but switching into to the 1Password app, creating an entry, switching back to the browser, switching to 1Password keyboard mode, and then filling the username and password, is a pain.
What we have to help avoid this problem is social login integration - Facebook, Google, Twitter, Paypal, etc. - but lots of people are suspicious of what will happen with their data they use these options.
So:
Would it be technically feasible (after development on both sites) for me to add Javascript to my login page, so that a button can appear "Login with 1Password" next to my "Login with Facebook" button, and when that button is clicked, the whole authentication process is handled - in javascript, on the client side - between the browser and the local 1Password installation? That is, can we workaround, with custom javascript on my end and hooks and intents and whatever on yours, the things that the browser doesn't let you do?
Ideally when clicking "Login with 1Password", if the 1Password client is installed on the device, we check for a password entry for that site, and if it exists we fill in the password fields, and if it doesn't we create a password entry in 1Password with a strong random password and record it and all the web form details and then fill it. What attack channels would this open up? Would 1Password be able to tell that the URL we're requesting the password for is the "real" one, and it's not some driveby exploit site saying "hey, what's your Google Password? Cheers!"?
Anyway. If technically possible, I imagine it would be good for you, because a "Login with 1Password" button on sites would be good advertising...
1Password Version: Not Provided
Extension Version: Not Provided
OS Version: Not Provided
Sync Type: Not Provided
Comments
-
@bencurthoys: Really interesting perspective here. Thanks for sharing your thoughts! It's definitely a one-step-at-a-time thing, but we're actually working on some things that should help with this longer-term, especially on Android where Google has been introducing some cool tools. You've probably noticed some of this with Android Autofill and Accessibility this past year. I'm not sure we're going to necessarily go the route you're talking about with integration directly on websites, as not every web dev is as awesome as you for us to be able to count on that. But Android Autofill especially, as browsers and other apps add support for it, allow us to have 1Password offer its services for generating, saving, and filling passwords. Weirdly Firefox Focus has some support for this already while (regular) Firefox does not (yet, I'm sure). So while it isn't something that can happen overnight, we'll get there. The direct website integration is a really awesome idea though, and it would be great if we could so something like that in the future that would work on all platforms. Thanks for bringing this up! :)
0 -
I'd missed those accessibility enhancements. And my phone updated itself to Android 8.0 last week. BRB Switching to Firefox Focus!
0 -
Ok that integration with Firefox Focus is exactly what I wanted. Awesome.
Don't want to bang on about it, but one more thing on direct website integration: one appeal from the website developer's point of view is that it should be a completely self-contained "include some javascript and it just works" job. The thing about OAuth login integration is that you have to do server-side work to make it work, and configure the Facebook / Google / etc ends and generate secret keys and so on. But 1Password rides directly on top of the site's existing username / password infrastructure, so would be v. easy to implement, and that's what you need if you want to encourage website take up. Still. Idea is pretty much redundant with Android Autofill working properly.
0 -
I'd missed those accessibility enhancements. And my phone updated itself to Android 8.0 last week. BRB Switching to Firefox Focus!
@bencurthoys: Haha nice! It's a great browser! :lol:
Ok that integration with Firefox Focus is exactly what I wanted. Awesome.
So glad to hear that! :chuffed:
Don't want to bang on about it, but one more thing on direct website integration: one appeal from the website developer's point of view is that it should be a completely self-contained "include some javascript and it just works" job. The thing about OAuth login integration is that you have to do server-side work to make it work, and configure the Facebook / Google / etc ends and generate secret keys and so on. But 1Password rides directly on top of the site's existing username / password infrastructure, so would be v. easy to implement, and that's what you need if you want to encourage website take up. Still. Idea is pretty much redundant with Android Autofill working properly.
Oh totally. But apart from the fact that it would be up to individual websites to implement it (you and I aren't exactly representative of the state of the web, no matter how excited we can get about an idea like this), right now it's less scary because there's no precedent for a "1Password button" on websites. If there were, as easy as it would be for website owners to include it if they wanted, I imagine that malicious folks could just just as easily steal the Javascript, make some changes to it to collect data, and have their own fun with it. There are probably things we could do on our end in the apps to compensate for that, but since most users aren't going to understand any of this we'd probably have people seeing a 1Password logo filling stuff themselves when 1Password is "broken" and doesn't fill it for them (in the case of something shady we detect). So there's a lot we'd need to consider from a security perspective before doing anything like that for convenience. So for now having all of this done in the apps that users can download directly from us (as opposed to functionality in random websites) has a lot going for it. But if we can find a way to avoid the risks of direct website integration while reaping the rewards, that could be pretty sweet. Cheers! :)
0