Unable to search login on iOS 12 Apps

Options
ericjansen
ericjansen
Community Member
in iOS

Hi,

there was this post on this forum (name = Unable to search for logins if no website listed against it), where people were asking why their login wasnt available to search for (when a website wasnt filled in on the login item). Your reaction was: to prevent fishing. It makes sense to me (although it is very cumbersome to work with this. My work pc has no 1password app (cant install), so when I add items manually, it doesnt fill in the URL).

Now, on iOS 12, we are able to use the passwords in Apps, but the website makes no sense there. I tried with 1 app, it did recognize I should be able to login, but then it just says: No logins found. Create login. But, I dont want to create a login, because the login already exists (but for the website).

What is your view on this?

Kind regards,
Eric

1Password Version: Not Provided
Extension Version: Not Provided
OS Version: iOS 12
Sync Type: Not Provided

Comments

  • ag_andrew
    ag_andrew
    Options

    Hi @ericjansen,

    This mechanism comes down to the way Password AutoFill works, tied with 1Password doing its best to protect you from phishing attacks.

    When you bring up 1Password from the Password AutoFill interface, the system hands 1Password a URL that represents the webpage or app in which you are trying to fill. We use that URL to filter which logins to show you. This works well in websites because 1Password always receives a URL from the system.

    However, if an app developer hasn't associated a domain with their app using a mechanism called (appropriately enough) Associated Domains, iOS doesn't have a URL to give 1Password during Password AutoFill. 1Password has to bring up your list of items without any way of filtering to just those items that match a given domain (since we aren't given one). In this case, 1Password will show all your items and use a fuzzy search to help you find the one you're looking for.

    If you're running into a situation where an app isn't showing any AutoFill results, that likely means it does have an Associated Domain but that domain doesn't match the one in your item. Take a look at the item you expect to see and make sure it has an appropriate website entry.

  • ericjansen
    ericjansen
    Community Member
    Options

    Hi @ag_andrew ,

    you are right, there was a domain mentioned. The weird thing is, the domain was gijsbertus.com, but the app was from Nuon ( a large heating company here in holland). So, I guess the developers at Nuon use their own domain associated. Bad thing!

    Added gijsbertus.com to the nuon login entry, and it was found correctly. Now let's try to find one that hasnt got a domain associated :)

    Kind regards,
    Eric

  • ericjansen
    ericjansen
    Community Member
    Options

    Hi @ag_andrew ,

    found one indeed where the domain wasnt associated, got a list with all the entries.

    Another question: if I already have credentials (for example saved in iOS iCLoud keychain, because I did previously before ios12), and I enter those by autofill iCloud Keychain, and press login. Can these credentials be captured by 1Password to save? Because, when I enter details on a website and the iCloud keychain doesnt know these login credentials, it asks me wether I want to save those to the iCloud Keychain. This is also the case on the desktop, with the browser extension. If I enter login credentials 1Password doesnt know, it asks me to save (or update) those. Can this be done with the new AutoFill api as well? I know I can press NEW LOGIN and then manually enter my credentials (or generate a password, but that doesnt work for existing credentials), but thats a bit cumbersome if the credentials already exist.

  • ag_andrew
    ag_andrew
    Options

    Hi @ericjansen,

    To date, the Password AutoFill API doesn't include the ability to automatically create logins. Hopefully iOS 13 will expand the capabilities of the AutoFill API.

    If you have credentials saved in iCloud Keychain and you'd like to get those into 1Password, the best way is to fill your login with iCloud Keychain, and then (before tapping submit), open the 1Password App extension ( https://support.1password.com/1password-extension-ios/ ), and tap New Login. That will capture the URL, Username and Password for you, and allow you to save the new item.

    Let me know if that works for you.

  • caskieadam
    caskieadam
    Community Member
    Options

    If 1Password doesn't find a login (which I understand can happen easily), why am I not given the choice to search for one when I know I have it stored? Instead I reach a dead end where I need to create a new one or cancel, which isn't very helpful.

  • Ben
    Ben
    edited February 2019
    Options

    Hi @caskieadam

    I believe Andrew touched on that here. The long and short of it is that one of the protections 1Password has in place (to help prevent phishing) is that it compares the website fields on your Login items with the URL you're currently viewing. In the case of apps, it uses the associated domain that the app developer has defined for the app. If there isn't a match between the website field and the current URL / associated domain 1Password will not fill your credentials.

    The idea is to stop things like someone setting up Ipassword.com (eye password dot com) and trying to get people to fill their 1password.com (one password dot com; the legitimate one) credentials there.

    That said we'd like to better understand when and why this is getting in the way rather than being helpful. If you have a few moments would you be willing to elaborate on what circumstances are causing you to run up against this, please? If you are using 1Password to save your login items for you (rather than entering them manually) 1Password should be adding appropriate website fields so that the logins can be filled where appropriate. If there are cases where that is not happening we definitely want to know so we can look to see if there are ways in which we can improve.

    Ben

  • ramin_h
    ramin_h
    Community Member
    edited February 2019
    Options

    I also experienced this problem.

    An example app I couldn't log into was Kik, and had no way of searching for the login I know I had. So exit out to home screen, launch 1password, copy username, launch kik, paste, go back to 1password, copy password, go back to kik paste again.

    Edit: 1password mentions the site it's looking for so I edited the entry to have the domain and I'm sure it won't happen going forward. Can't help but be irritated by the process.

  • Ben
    Ben
    Options

    Hi @ramin_h

    How could we have done better here? Did you have a website field on your kik login item?

    Ben

  • ramin_h
    ramin_h
    Community Member
    Options

    Hi Ben

    Ideally, from a usability stance, I would have liked to see a Search box that I could search for the item to auto-fill.. But my understanding from reading the above is that it poses a phishing risk.

    Humble opinion on the phishing-risk: if the user is on that page and it's a phishing attack, they have already gone too far. The user will be entering their credentials regardless of there being a search box or not.

    I totally understand the decision to omit it.

  • Ben
    Ben
    Options

    Thanks @ramin_h. :) The idea is that if you have 1Password set up properly the fact that you don't see your login item when you think you have one should tip you off that something is amiss, and perhaps you aren't where you think you are.

    Ben

  • mandrous
    mandrous
    Community Member
    Options

    The problem with that, Ben, is that you are putting way too much trust in Developers to associate their apps and domains correctly, and you are also not taking into account when one account can be used on multiple sites.

    For example, I can use my SmartThings account to log into their website AND Samnsung’s website.

    Please consider making it an option, as it is super super annoying for those of us that know what we are doing.

  • Ben
    Ben
    Options

    Please consider making it an option, as it is super super annoying for those of us that know what we are doing.

    It is incredibly rare that we say 'no,' however I would be very surprised if we removed phishing protection from 1Password. Even folks who know what to look for can be in a rush or be tricked by phishing.

    The problem with that, Ben, is that you are putting way too much trust in Developers to associate their apps and domains correctly, and you are also not taking into account when one account can be used on multiple sites.

    For example, I can use my SmartThings account to log into their website AND Samnsung’s website.

    It is possible to specify multiple websites that a login will work for, and for many of those that we know about we do this for you when you create a login. For example, Amazon accounts can be used on a few different websites / apps. We recognize that and will fill on both amazon.com and amazon.co.uk.

    Ben

  • parekh
    parekh
    Community Member
    Options

    Hello, I just want to add that I am also being bothered by this "feature" quite often. I strongly agree with the previous posters that there should be a way to search for the login to autofill. Do you have any real evidence that this "feature" is preventing phishing attacks? Whenever I encounter the "no logins found" message, I simply open the 1Password app and copy paste the data. If other users are also behaving in the same manner, then I doubt that there is any "protection" going on here. Would love to hear your thoughts on this.

  • parekh
    parekh
    Community Member
    Options

    An alternative suggestion: enable the search feature and allow users to auto-fill passwords where the website does not match the associated domain, but display a big warning that says "Warning: the associated domain does not match the login website. This may be a phishing attack. Please proceed with caution."

  • AGAlumB
    AGAlumB
    1Password Alumni
    Options

    Hello, I just want to add that I am also being bothered by this "feature" quite often. I strongly agree with the previous posters that there should be a way to search for the login to autofill. Do you have any real evidence that this "feature" is preventing phishing attacks?

    @parekh: Yep. Many people contact us and ask us about it instead of just dumping their credentials into a website other than the one they told 1Password to use them on. That gives us an opportunity to help them make an informed decision: they can choose to add the relevant URL to the Login item if they want those credentials to be used there, or not, and either way they understand why and can apply that understanding going forward.

    Whenever I encounter the "no logins found" message, I simply open the 1Password app and copy paste the data. If other users are also behaving in the same manner, then I doubt that there is any "protection" going on here. Would love to hear your thoughts on this.

    That's like saying an airbag offers no protection because it can be removed. Certainly you can circumvent almost any protection, both online and in the real world, but if this stops and gives even a few people pause (it's many more than that, from experience), that's better than the alternative.

    An alternative suggestion: enable the search feature and allow users to auto-fill passwords where the website does not match the associated domain, but display a big warning that says "Warning: the associated domain does not match the login website. This may be a phishing attack. Please proceed with caution."

    To be clear, we don't have any control over this when you're using Autofill. But we're glad Apple made it work that way, and it's not something we're going to change in 1Password itself even in situations where we could. As I mentioned above, if you're sure that you want to use example.com credentials on example.net, you can edit the Login item in 1Password and that will work. And Microsoft proved with UAC (User Account Control) prompts on Windows over a decade ago that, in addition to being a bad user experience, people just click through these things and ignore them anyway.

  • parekh
    parekh
    Community Member
    Options

    @brenty -- Thank you for your thoughtful reply! I understand that what's best for my use case may not be best for everyone's use case, and I trust that you know your users well enough to make the right decision. Sometimes I just wish there was a way to give both groups of users what they want!

  • AGAlumB
    AGAlumB
    1Password Alumni
    Options

    @parekh: Thanks for understanding. There are definitely ways to give everyone sort of what they want, but that path often leads to unfocused software that really isn't good at anything at the expense of being mediocre at too many things. I won't give any examples because I don't have nice things to say about it. :lol: I think if we were making a different kind of software, we'd perhaps embrace more flexibility. But since our focus is security, minimizing options/settings/etc. avoids whole classes of bugs that stem from unforeseen interactions and increased complexity. I think it's the right way to go, given the alternatives, but I do appreciate that there are some downsides. There are tradeoffs no matter what, so we're just trying to make the right ones given that people depend on us to help them be more secure.

This discussion has been closed.