One LDAP Account, Multiple OTP

Options
cpplain
cpplain
Community Member
in Mac

I have a single LDAP account used to accesses multiple sites. For normal username/password authentication, this is not a problem. The URL for each site is stored under the same LDAP login item. However, some of the sites require OTP and, unfortunately, use separate tokens. Keeping each site's OTP in the same login item has not worked very well. Is there a recommended/suggested way to handle this scenario?

1Password Version: 7.7
Extension Version: Not Provided
OS Version: macOS 10.15.7
Sync Type: Not Provided

Comments

  • ag_ana
    ag_ana
    1Password Alumni
    Options

    Hi @cpplain!

    However, some of the sites require OTP and, unfortunately, use separate tokens. Keeping each site's OTP in the same login item has not worked very well.

    Can you please elaborate on this a little bit? What do you find that doesn't work very well with this approach?

  • cpplain
    cpplain
    Community Member
    Options

    @ag_ana, apologies for the very belated reply.

    For a single LDAP account, I access multiple sites.

    Simplified, anonymized example:

    site1.domain1.com
    site2.domain1.com

    site9.domain2.com

    Several of the sites require OTP. The OTP token is unique to each each site, requiring one entry per site in the login item requiring OTP.

    Login Item {
    username: user,
    password: pass,
    sites: …
    otpsite1: token1,
    otpsite2: token2,
    }

    The first OTP entry is listed, when viewing the login item, directly underneath the password and is copied automatically to the clipboard. However, any subsequent OTP entry is listed under all the sites and must be accessed by scrolling past the list of sites.

    Unless I'm missing something, 1Password does not currently support a use case I've seen in two very large enterprise environments: multiple resources authenticating via LDAP/Active Directory but using separate secondary authentication mechanisms.

    Keeping everything in a single login item is messy and separating the sites into separate items causes 1Password to complain of duplicate passwords. Additionally, this complicates management of password changes.

    If the feature doesn't already exist, I'd like to see the option to reference shared credentials from multiple login items.

    For example:

    Shared Login 1 {username: user, password: pass}
    Login Site 1 {sharedLogin: 'Shared Login 1', otp: token1}
    Login Site 2 {sharedLogin: 'Shared Login 1', otp: token2}

    This would allow users to keep separate logins containing information specific to the site/resource while allowing 1Password to identify the password as unique and enabling easier password maintenance.

  • Ben
    Ben
    Options

    Now it is our turn to apologize for the belated reply. :(

    I think the best experience we can offer here at the moment is a single Login item with both OTPs added and labeled. As you say, you may need to scroll to see the various OTPs, and only the first listed one will be automatically copied to the clipboard. That said, we certainly recognize SSO as an area in which we could improve our handling for the future. :+1:

    Thanks!

    Ben

This discussion has been closed.