1Password's autofill enters password into OneLogin's 2FA field

On my company's OneLogin portal, 1password always pastes my password into the OTP field. I think this is because OneLogin marks the field type="password".

This has been a problem as long we have used OneLogin (over a year now). It happens in Firefox and Chrome, with the 1password 7 browser add-on and with 1passwordX. I can only speak to Mac. I have tried renaming the field in 1password to "security-code" and "Enter your Authenticator code" thinking that might give 1password a hint. Neither was successful.

Unfortunately, you cannot access the offending page without a valid username/password. If you DM me, I am happy to provide you one in our system temporarily while developing/debugging.

A screenshot of the offending element
The HTML of the offending element is

<input class="sc-jzJRlG hxEkIM sc-VigVT gupvKM" data-testid="security-code" id="security-code" value="" autocomplete="off" autocorrect="off" spellcheck="false" maxlength="255" type="password" data-reactid=".0.1.0.2.1.1.0.0.1.0">

The full HTML (with base64 encoded images and some CSS removed):

<!DOCTYPE html>
<html style="height: 100%" lang="en"><script type="text/javascript">(function(){EventTarget.prototype.ol_originalAddEventListener=EventTarget.prototype.addEventListener,EventTarget.prototype.addEventListener=function(t,e){var n=this,r=arguments.length>2&&void 0!==arguments[2]&&arguments[2];this.ol_originalAddEventListener(t,e,r),"click"===t&&setTimeout((function(){!window.OL_NOT_LOGIN_PAGE&&n.setAttribute&&n.setAttribute("data-ol-has-click-handler","")}),0)}})("")</script><head>
<meta http-equiv="content-type" content="text/html; charset=UTF-8">
  <meta charset="utf-8">
  <meta http-equiv="x-ua-compatible" content="IE=edge">
  <meta name="viewport" content="width=device-width, initial-scale=1, shrink-to-fit=no">
  <meta name="theme-color" content="#000000">
  <meta name="robots" content="noindex,nofollow">
  <link rel="shortcut icon" href="https://web-login-v2-cdn.onelogin.com/login2/favicon.ico">

  <link href="OneLogin2FA_files/css.css" rel="stylesheet">
  <script type="text/javascript">window.thisdata = { options: {} };</script><style>@media print {#ghostery-purple-box {display:none !important}}</style>
  <script type="text/javascript" src="OneLogin2FA_files/onelogin-vigilance.js" async="true"></script>
  <title>OneLogin</title>

  <!--[if lt IE 9]>
    <style>
      .withConditionalBorder {
        border-width: 1px;
        border-style: solid;
        border-color: #e8eaeb;
      }
    </style>
    <![endif]-->
<script type="text/javascript">(function(t){void 0!==window.create_plugin_detected_div&&window.create_plugin_detected_div(t)})("firefox_3.4.17")</script>
</head>

<body style="padding: 0; margin: 0; height: 100%; font-family: Roboto, 'Helvetica Neue', Helvetica, 'Segoe UI', Arial, sans-serif;">
  <noscript>
    You need to enable JavaScript to run this app.
  </noscript>
  <div id="root" style="height: 100%"><div class="sc-iujRgT ddljDz" data-reactid=".0"><div class="sc-GMQeP ehoOaH" data-reactid=".0.0"></div><div class="sc-gojNiO kozmSQ" data-reactid=".0.1"><div class="withConditionalBorder sc-daURTG bQlMlR" data-reactid=".0.1.0"><div class="sc-epnACN cLdzux" data-reactid=".0.1.0.0"><div class="sc-iQNlJl kMviSF" data-reactid=".0.1.0.0.0"><img class="sc-bsbRJL gqiYvh" src="OneLogin2FA_files/47fe40ca7c57a177fcf2a85158ed48cb8c32ed53.png" data-reactid=".0.1.0.0.0.0" data-ol-has-click-handler=""></div></div><div class="sc-eLExRp htXRcF" data-reactid=".0.1.0.2"><noscript data-reactid=".0.1.0.2.0"></noscript><div data-reactid=".0.1.0.2.1"><div class="sc-jqCOkK cgMsoX" data-reactid=".0.1.0.2.1.0"><img class="sc-uJMKN jPxHmC" src="data:image/png;base64,..." data-reactid=".0.1.0.2.1.0.0"><div data-reactid=".0.1.0.2.1.0.1"><span data-reactid=".0.1.0.2.1.0.1.$paragraph-1-1"><span data-reactid=".0.1.0.2.1.0.1.$paragraph-1-1.0">Google Authenticator</span></span></div></div><form class="sc-EHOje sDMuk" data-reactid=".0.1.0.2.1.1"><div class="sc-bZQynM QzQWh" data-testid="security-code-screen" data-reactid=".0.1.0.2.1.1.0"><div class="sc-gzVnrw bbllgR" data-reactid=".0.1.0.2.1.1.0.0"><div class="sc-dnqmqq jomEGJ" data-reactid=".0.1.0.2.1.1.0.0.0"><label class="sc-iwsKbI hOobUj" for="security-code" data-reactid=".0.1.0.2.1.1.0.0.0.0"><span data-reactid=".0.1.0.2.1.1.0.0.0.0.0">Enter your Authenticator code</span></label></div><div class="sc-jTzLTM kGoDGv" data-reactid=".0.1.0.2.1.1.0.0.1"><input class="sc-jzJRlG hxEkIM sc-VigVT gupvKM" data-testid="security-code" id="security-code" value="" autocomplete="off" autocorrect="off" spellcheck="false" maxlength="255" type="password" data-reactid=".0.1.0.2.1.1.0.0.1.0"><div class="sc-fjdhpX kzpdFv" data-reactid=".0.1.0.2.1.1.0.0.1.1"><button class="sc-htoDjs hwlddf" type="button" data-reactid=".0.1.0.2.1.1.0.0.1.1.0" data-ol-has-click-handler=""><span data-reactid=".0.1.0.2.1.1.0.0.1.1.0.0">Show</span></button></div></div></div><div class="sc-gzVnrw bbllgR" data-reactid=".0.1.0.2.1.1.0.1"><div class="sc-kTUwUJ hEhvUk" data-reactid=".0.1.0.2.1.1.0.1.0"><button class="sc-dqBHgY klmaCY sc-kpOJdX cJxxka" type="submit" tabindex="0" data-reactid=".0.1.0.2.1.1.0.1.0.0"><span data-reactid=".0.1.0.2.1.1.0.1.0.0.0">Continue</span></button></div></div></div></form></div></div></div><div class="sc-lkqHmb edzhqU" data-reactid=".0.1.1"><ul class="sc-bbmXgH jajOPZ" data-reactid=".0.1.1.0"><li class="sc-gGBfsJ hOCCzp" data-reactid=".0.1.1.0.$/=10"><a class="sc-bXGyLb iPZDW" href="https://www.onelogin.com/" data-reactid=".0.1.1.0.$/=10.0">Powered by OneLogin</a></li><li class="sc-gGBfsJ hOCCzp" data-reactid=".0.1.1.0.$/=11"><a class="sc-bXGyLb iPZDW" href="https://www.onelogin.com/terms" data-reactid=".0.1.1.0.$/=11.0">Terms</a></li><li class="sc-gGBfsJ hOCCzp" data-reactid=".0.1.1.0.$/=12"><a class="sc-bXGyLb iPZDW" href="https://www.onelogin.com/privacy" data-reactid=".0.1.1.0.$/=12.0">Privacy Policy</a></li></ul></div></div></div></div>

  <!--[if lt IE 10]>
      <script src="https://cdnjs.cloudflare.com/ajax/libs/html5shiv/3.7.3/html5shiv.js"></script>
      <script src="https://cdnjs.cloudflare.com/ajax/libs/es5-shim/4.5.7/es5-shim.min.js"></script>
      <script src="https://cdn.polyfill.io/v2/polyfill.min.js?features=Intl.~locale.en"></script>
      <script src="https://cdnjs.cloudflare.com/ajax/libs/json3/3.3.0/json3.min.js"></script>
      <script type="text/javascript" src="https://web-login-v2-cdn.onelogin.com/login2/vendor-es3e9546ec8364afb5dca2950cfa438895f901ea1cd.js"></script>
      <script type="text/javascript" src="https://web-login-v2-cdn.onelogin.com/login2/intl-es3e9546ec8364afb5dca2950cfa438895f901ea1cd.js"></script>
      <script type="text/javascript" src="https://web-login-v2-cdn.onelogin.com/login2/app-es3e9546ec8364afb5dca2950cfa438895f901ea1cd.js"></script>
 <![endif]-->

  <!--[if gte IE 10 | !IE ]><!-->
      <script type="text/javascript" src="OneLogin2FA_files/vendore9546ec8364afb5dca2950cfa438895f901ea1cd.js"></script>
      <script type="text/javascript" src="OneLogin2FA_files/intle9546ec8364afb5dca2950cfa438895f901ea1cd.js"></script>
      <script type="text/javascript" src="OneLogin2FA_files/appe9546ec8364afb5dca2950cfa438895f901ea1cd.js"></script>
  <!--[endif]---->


</body></html>

1Password Version: 1Password 7 Version 7.6 (70600006) Mac App Store
Extension Version: 4.7.5.90
OS Version: OS X Catalina 10.15.6 (19G73)
Sync Type: 1PW CLoud
Referrer: forum-search:onelogin

Comments

  • ag_yaronag_yaron

    Team Member

    Hey @yetanotherusername ,
    Thanks for all the info on that page's 2FA field.

    I'd like to ask you one more thing in order to properly tackle this issue. Can you please send us the following:

    1. Right click the 1Password X extension icon on the top right corner of your browser and select "Manage Extensions".
    2. Turn on the "Developer Mode" toggle on the top right side of the page.
    3. In the center of the page where you see the extension's details, click the "Background Page" link.
    4. A new window will open. Select the "Console" tab at its top, then click the bottom part of the console so you can write in it.
    5. Type in the following and hit Enter afterwards: localStorage.setItem(“devtools”, “Y”)
    6. Close Chrome completely, then relaunch it and unlock 1Password X. Now, when you right click the 1Password X icon on the top right corner, you should see a new menu option called "Developer Tools" and use it to collect page details.
    7. Get to the 2FA page and before 1Password autofills your password, collect the page details. Save it in a json or txt file and send it over to [email protected] alongside a link to this forum discussion so we can connect the dots faster.

    Thank you kindly!

  • Ack! This is embarrassing. It now works correctly with the 1 Password X extension. When I stopped using 1PasswordX (maybe 1 year ago), it didn't fill in OneLogin's 2FA correctly either. I just reinstalled it, and it handles the page correctly. So now it appears it only the 1Password 7 browser add-on that incorrectly autofills (both in Chrome and FF).

    I sent the email as you requested in the hopes that you can fix it for 1pw7. I don't use 1pwX (despite that is a superior add-on) because I dislike having to type my 1pw password into both 1px and 1pw desktop.

  • ag_yaronag_yaron

    Team Member

    Thanks for the additional info @yetanotherusername.

    This is great news, because every fix/update that reaches 1Password X will eventually reach the companion extension that connects to the desktop app, so it is just a matter of time before things work properly in your current extension.

    As for having to unlock 1Password X separately, we're working on that too and hopefully that won't be an issue in the near future :)

Leave a Comment

BoldItalicStrikethroughOrdered listUnordered list
Emoji
Image
Align leftAlign centerAlign rightToggle HTML viewToggle full pageToggle lights
Drop image/file