QR Code and IAM Identity Center

zondi
zondi
Community Member
edited January 2023 in Linux

On both macOS 13.1 + 1Password v8.9.12 and pop_OS (Ubuntu) + 1Password v8.9.10+ Chrome v109.0.5414.6, 1Password are unable to scan the generated QR code.

Says No QR Code found.

Even taking a screenshot of the QR code to use the One-Time Password option via the installed 1Password app is not possible as the option is missing.

Could you help?

Thanks.


1Password Version: 8.9.12
Extension Version: 2.6.1
OS Version: macOS 13.1
Browser:_ Chrome

Comments

  • Hey @zondi, thanks reaching out. I apologize for our delayed response.

    Is this issue only occurring when scanning a QR code from IAM Identity Center?

    Even taking a screenshot of the QR code to use the One-Time Password option via the installed 1Password app is not possible as the option is missing.

    You should see the option to scan a QR code if you navigate to an item and Edit > + add more > One-Time Password:

    Is that option missing for you or not scanning the QR code properly? Looking forward to your response.

    Ali

  • zondi
    zondi
    Community Member

    Hello, Ali.

    I'm very aware of that option as I have used 1Password since the service came online.

    This is pretty easy to replicate.

    If such an option was possible, I wouldn't have raised this ticket.

    No matter what and how you tried to get this done, the same result is what you get.

    But if someone can point me to what I may be doing wrong or find a way to fix the issue, it will be much appreciated.

    We stopped rolling out Identity for the Org I'm working with until we get a response from you.

    Thanks.

  • Hi @zondi, thank for your reply. Do you have the option to manually retrieve the one-time password secret as an alternative to scanning the QR code? If so, does manually pasting that into the one-time password section and saving the item yield any results?

    In any case, I'd like to ask you to reproduce the issue and then create a diagnostics report from your Linux device:

    Sending Diagnostics Reports (Linux)

    Attach the diagnostics to an email message addressed to support+linux@1password.com.

    With your email please include:

    We'll look forward to hearing from you!

    Ali

  • zondi
    zondi
    Community Member
    edited January 2023

    Hi @AliH1P .

    Since this happens whether I'm on macOS or Linux, I'm attaching a screenshot to show you the flow and result.

    A user visits https://$orgName.awsapps.com/start which will redirect to something like https://us-west-2.signin.aws/platform/login?workflowStateHandle=58858585-033737373737-randomNumbers

    Logs in and he | she | they is | are presented with this option:

    Selects the "different device option" and is presented with this:

    As you will see if you replicate this, the generated QR code does not have the option to copy and do this manually.

    Moreover, the QR code design is different though I don't know much about QR and I'm also unable to find the type at https://en.wikipedia.org/wiki/QR_code.

    I know this is not exactly what you want me to do.

    But hope it throws more light on this.

    Will see if I can find time later to send the log to you.

    Thanks and have a wonderful evening.

  • AliH1P
    edited January 2023

    Hey @zondi, thanks for the screenshots. I noticed that there is an attempt to add 2FA using a Passkey rather than an authenticator application.

    I recreated a similar environment and can see that a user should be presented with the following options:

    Selecting Authenticator app will present the user with a QR code that 1Password can recognize and add a one-time password for. I tested this using both the desktop application and extension and it works well.

    On the other hand, selecting Security key and cancelling the initial prompt results in the request to create a passkey:

    The subsequent QR code after selecting "different device" is not for a time-based one-time password and won't work with 1Password.

    I'm not very familiar with the IAM Identity Center, but let me know if you have the option to add via authenticator app and whether that works with 1Password.

    Ali

  • zondi
    zondi
    Community Member

    Hi @AliH1P

    Not really.

    The screen shot was taken before the "the different device" option was selected.

    Like I mentioned before, I have been using 1Password for a very long time and familiar (at least to a reasonable extent), what and what cannot be done with it.

    What I intend to do later this evening is to use a mobile device for the scanning instead of the browser or desktop app options.

    Thank you.

  • zondi
    zondi
    Community Member

    @AliH1P

    It might worth keeping in mind that the normal AWS account 2FA implemention is completely separate/ different from the new AWS ID Center which replaced SSO.

  • Hey @zondi, I'm sorry to hear that doesn't help.

    To further clarify, in your screenshot I can see an attempt at scanning a Passkey QR code rather than a time-based one-time password QR code. This is not expected to work with 1Password at the moment but our team is working on bringing Passkeys to 1Password this year.

  • zondi
    zondi
    Community Member

    @AliH1P

    The screenshot was taken before the "the different device" option was selected.

    As previously mentioned, I don't use passkeys and thus have no need for selecting that option.

    The screenshot was taken during the process and before the selection was made.

    Thank you.

  • zondi
    zondi
    Community Member

    Hello, @AliH1P

    Seems I'm missing a critical piece of information.

    But nothing at https://docs.aws.amazon.com/singlesignon/latest/userguide/how-to-register-device.html can shed a light on this.

    I just noticed that this is not actually a 1Password issue.

    I tried to use Google Authenticator, Microsoft Authenticator, and even Authy to scan the generated code.

    And got this:

    Is it possible to let me know what I may be missing from the mobile device screenshot?

    Thanks for the help.

  • Hey @zondi, thanks for your reply.

    The QR code that is being generated in your screenshot is for a passkey rather than time-based 2FA and therefore will not work with 1Password or other two-factor authenticators.

    I would recommend reaching out to AWS to get further clarification on MFA options and whether you can use an authenticator app.

    Let me know if you have any questions or if there's anything else we can help with.

    Ali

  • zondi
    zondi
    Community Member

    @AliH1P

    Will do.

    Thank you, Ali, for your time and help.

  • You're most welcome @zondi, we're always happy to assist.

This discussion has been closed.