Filling in NemID using 1Password X

Hi AgileBits.

I have a problem using your extension 1Password X to fill in NemID.

All banks in Denmark have more or less the same form of authentication. NemID.
Sydbank: https://www.sydbank.dk/privat
Danske Bank: https://danskebank.dk/privat
Contact with the danish authorities (For moving, choosing a doctor and picking a school for your kids): https://www.borger.dk/
3.rd party sites can also get NemID embedded in their system in order to verify that the user is real.

Loginpages
Danske Bank: https://danskebank.dk/en/personal/help?n-login=pbnetbank
Sydbank: https://portal4.sydbank.dk/wps/portal/sydbank-dk/NemIDJS
Borger.dk: https://nemlog-in.dk/login.aspx/noeglekort

You can read about NemID here: https://www.nemid.nu/dk-en/
The people behind NemID are Nets: https://www.nets.eu/dk-da

In January 2017, the NCSC commented on the use of password managers (positivly)
https://www.ncsc.gov.uk/blog-post/let-them-paste-passwords and a danish technical media asked the danish system about it: https://www.version2.dk/artikel/britisk-cybertjeneste-kodeords-blokering-nemid-app-daarlig-ide-1076987
The response from the danish system was (My translation, the danish version can be read in the article)
It's important that ones password is protected as best as possible. One of our securityfeatures is amougst others that you can't copy paste passwords into NemID login-fields. The choices of our security choices cannot be explained due to the security in the solution.

I have looked into "Don't Fuck With Paste"(https://addons.mozilla.org/en-US/firefox/addon/don-t-fuck-with-paste/) and I can now paste passwords, but I would very much like to avoid extensions like that.

The "NemID" has already been discussed in another topic in this site, but that was for the iOS version of 1Password.
https://discussions.agilebits.com/discussion/79959/1password-for-ios-can-not-fill-forms-based-on-nemid

Currently I use 1Password X which actually finds the fields, it just can't paste anything into them..

So AgileBits, could you please look into adding support for this? Or maybe tell me how to do it? I know that the Javascript code is very obfuscated since they think it makes it much more secure...
This could potentially help a lot of danes using your product.


1Password Version: Not Provided
Extension Version: Not Provided
OS Version: Not Provided
Sync Type: Not Provided

Comments

  • dtearedteare Agile Founder

    Team Member

    Hello, @spuc! 👋

    Thank you so much for the incredibly detailed post about NemID.

    One idea is we could potentially add NemID as a field within Identities. Another idea which is probably more useful is to allow you to add a custom NemID field to your logins and include it during filling when you select that login.

    From the sounds of things, however, this goes against the NemID terms of service:

    Your code card must not be digitalized
    
    * Your code card is personal to you and must not be made available to anyone else.
    * Never keep your code card together with your password. According the the NemID rules your are not allowed to write down your password.
    * You will automatically be sent a new code card before you have used all the codes on the card.
    * If you lose your code card or suspect fraud, you should immediately block the card.
    * You must not copy, photograph or digitalize your code card.
    

    So I don't think they'll be offering to help either of us with this solution. 🙂

    We'll look into the custom fields idea further and hopefully that will work for you. In the meantime, I think you'll be able to manually fill in your NemID and save it as a new login. This should allow you to fill the form again as we don't use copy-and-paste during filling.

    I hope that helps. Give it a go and let us know how it goes.

    ++dave;

  • Hi @dteare

    As you might know, NemID is somewhat 2 factor.

    • Username + Password
    • Code from printed card or Accept button in NemID app.

    Actually I was just talking about the filling out of the webform.
    I couldn't get the automatic fill to work on NemID. But somehow after deleting the username and reinserting it again, it now works on some of the NemID login-forms.

    But on other pages, only the username fill works.
    I can show it to you here:

    Tried the NemID form on the page: https://portal4.sydbank.dk/wps/portal/sydbank-dk/NemIDJS

    I'm using Firefox 62.0.3 with 1Password X extension version 1.11.0

  • littlebobbytableslittlebobbytables 1Password Alumni
    edited February 2019

    Hi @spuc,

    Here's my take on NemID. I created a basic Login item and then I added a whack of website fields, five in total and they were.

    1. https://applet.danid.dk/
    2. https://nemlog-in.dk/login.aspx/noeglekort
    3. https://portal4.sydbank.dk/wps/portal/sydbank-dk/NemIDJS
    4. https://danskebank.dk/en/personal/help?n-login=pbnetbank
    5. https://www.borger.dk/borgerapi/PerformLogin?idPItemId=96a32866-df0a-4e8c-a072-0765f2b44823

    The first is the iframe loaded by each site for the actual NemID sig-in form. The second is the destination link for www.borger.dk but I found it didn't like being loaded directly. After that are the URLs for the three sites you mentioned. You need all of them for filling to happen at all on each site but the last three also have the property that they could be used with open-and-fill.

    Now I found the sign-in page at nemlog-in.dk worked well and I got the expected prompts from 1Password X and everything filled. sydbank.dk and danskebank.dk on the other hand weren't quite as willing to work but with a bit of prompting I could get 1Password X to fill. What I had to do was if clicking on the username field didn't result in the 1Password X icon appearing in the field I would right click and select the Show 1Password contextual menu option. Once 1Password X appeared I could fill the field. Sometimes clicking on the password field would then see it fill with no further action, sometimes I would have to go through the same steps. Whilst certain more steps than it ought to take 1Password X could be prompted and would fill both fields. I would be interested to learn if you find the same.

    Clearly we still have work to do here. 1Password X repeatedly failed to identify the fields as it was meant to across the various examples and it should be consistent considering they're all loading the same iframe. Hopefully the ability to fill with 1Password X will help to make up for this a bit while we work this out though.

    ref: x/b5x#617

  • I'm having trouble with portal4.sydbank.dk too. Funny thing is that on my old Mac running High Sierra and 1Password 6.8.8, it works fine!

  • littlebobbytableslittlebobbytables 1Password Alumni

    Hello @relausen,

    So I haven't visited the page since I last replied to this conversation back in 2018 so it was time for a refresh. What I found was my Login item from before still worked but that there were still caveats for the https://portal4.sydbank.dk/wps/portal/sydbank-dk/NemIDJS URL.

    1. Load the page as you normally would.
    2. Ensure keyboard focus is on the username field. This seems to be the default.
    3. Click the 1Password X button in the browser toolbar and fill from the toolbar menu.
    4. Either use the tab key or click on the password field.

    Now I've experienced two different behaviours here. Sometimes 1Password X will automatically fill the password field and from there you should be able to sign in. If it doesn't, with keyboard focus on this field perform step 3 again.

    My testing suggests that even if you need two fill instructions, 1Password X should eventually fill both fields. We still have work to do to improve this, after all it really should just take a single fill command given both fields but so far I've managed to coerce 1Password X to fill both fields.

    If you're still having trouble can you describe what you're trying and how it is failing please and I'll see what we can learn.

  • Hi!

    I'd just like to chip in here as well :-)
    I'm using another bank than the previously mentioned, where I've never been able to get 1Password X to fill the password, no matter which approach I try. Sometimes I can get the username filled, but that's about it.

    The link to the bank is here:
    https://portal4.erhverv.djurslandsbank.dk/wps/bankdata/jsp/html/da/PortalFrame.jsp?danid=true

    If I can in any way help out with any more testing, please let me know, as I'd love to :-)

  • kaitlynkaitlyn

    Team Member

    Hi @ldbr! 👋

    Thanks for reporting this to us. As much as I wish we could behave better here, I'm struggling to come up with a solution. I took a look at the HTML for the NemID form, and they're using five different password fields all placed on top of each other. I couldn't tell you why that is, and I'm not really sure what it accomplishes, but it's definitely not doing 1Password any favors. It doesn't stop there, either. The HTML name/ID of each of the password fields are long strings of characters, which change each time the page is loaded. That significantly increases the difficulty for a password manager. I was able to get an item filling the password, surprisingly, but I wasn't able to get it filling consistently enough to even recommend it to you. It'll fill maybe once or twice, then I continue to refresh the page, and it's back to square one. I truly think your best bet here is to click and drag your username/password from the 1Password X pop-up to the proper fields. If you need any help with that, please let me know. I've also passed your report along to our developers so they can continue to investigate.

    ref: dev/core/core#890

  • Hi @kaitlyn !

    Thank you very much for taking your time to reply :-)

    You just got me excited there for a second, as I didn't know about the "drag and drop" variant. However, unfortunately I couldn't that to fill either.

    I did dig into the HTML myself, and found the same you did; multiple password fields, with unique and randomized IDs. Yay :frown: NemID has always (in Denmark) been known as using a lot of "security by obscurity", so this is probably just one of those cases as well, since everybody knows that security by obscurity is the way to go... :)

    I'll see if I can come up with a solution, and if I do, I'll let you guys know :-)

  • ag_anaag_ana

    Team Member

    Sounds good @ldbr, thank you :+1::)

  • I just posted an extension on the Chrome store that lets you paste data in the NemID applet: https://chrome.google.com/webstore/detail/nemid-paste/cnfplfabjimdldldakmnolmgooflgpml

  • ag_yaronag_yaron

    Team Member

    Thanks for sharing @micvbang !

  • Hi everyone,

    I just changed from lastpass to 1password, and I am a frequent user of NemID (as all Danes are...). It sounds like NemID truly has made life difficult for password managers, but somehow the lastpass extension for chrome worked like a charm with NemID. So I just want to say, that there must be some way to get it to work. :)

  • ag_yaronag_yaron

    Team Member

    Hey @elisabeth_zinck ,
    Thanks for the update! We'll take another look at it and see if there's something we can do that won't require big changes to 1Password.

    Thank you :+1:

  • +1 on taking another look please, Safari's native password manager works for NemID as well but I'd absolutely love to stick to 1Password and avoid browser lock in

  • ag_yaronag_yaron

    Team Member

    Thanks for chiming in @primdahl .

    We've implemented a fix internally for NemID, hopefully it will reach out to all of you in the next couple of updates! :+1:

  • Any news on this?? I just startet my trial period on 1Pass, and to my surprise I couldnt get NemID to work, which I have to use every single day.. So its a huge dealbreaker. The built-in chrome password manager works without any issues though.

  • @Lit7

    We've made some changes in our beta version of 1Password for your browser, which might improve your filling experience with sites that use NemID. Would you be willing to give it a try? You can install it from here.

    Let me know how it goes, or if you have any questions.

  • @ag_chantelle The beta works great, thanks!

  • ag_anaag_ana

    Team Member

    That is great to hear @Lit7, thank you for letting us know :)

Leave a Comment

BoldItalicStrikethroughOrdered listUnordered list
Emoji
Image
Align leftAlign centerAlign rightToggle HTML viewToggle full pageToggle lights
Drop image/file