Lack of classic extension?

Hey @dougl. I appreciate your sharing your experience here, especially with the context of the wording being cut off and only the icon being visible. It's not possible currently to turn off the inline icon on iOS/iPadOS, so I've opened two issues internally for us to track and think about things further: 1, the option to turn off the menu, as is present on desktop; and 2, the inline wording/appearance by default, so we maintain helpful functionality while keeping our users as safe as possible.

ref: dev/core/core#4314
ref: dev/projects/customer-feature-requests#918

Hi 1P_Rob just opening this one back up a bit. Installed the new plugin on my ipad, and on the very first site I ended up starting to type my passphrase into the actual website login field instead of the unlock. What happened is that when I clicked on the 1password icon in the username field, it popped up the keyboard, but because of the screen layout, all I could see was the one password logo (the 'please unlock from the toolbar' message was hidden by the keyboard). It looked for all the world like the entry field was the 1P field, when it was really the website field. This absolutely will happen repeatedly unless people are very very careful. I know now to always use the toolbar icon, but for safety's sake is there a way to remove the injected 1P icon in the username field itself on iOS?

Glad to help! 👍

1P_Rob thanks! glad to know that's still there.

And fair point, though users expecting something there is a mental model that makes it easier. I guess I find it unnecessary visual clutter. It often covers up other fields that I need to access, or override (e.g. when a site has changed from username to email, but the update didn't take in 1P).

But since it's disablable, I'm going to do that on my family's machines right now :-)

We'd love to elaborate more but this is something that's been explored internally and isn't quite ready to make the spotlight. If and when it does make it out of the lab, we'll be sure you give you a shout 🤫

1P_Rob I'm interested in the single sign-on feature. We use SSO at work - can you elaborate on that? You can split this into separate thread if you like.

That in-line prompt will be weaponized at some point so it does show a password prompt,

I see what you're saying. I just don't see the risk as that much greater than if the thing never existed. Either way people could/would just see it as a new feature. The best we can do is provide a consistent way to actually unlock 1Password so that anything different from that is regarded with suspicion.

At the very least we need a way to turn it off and just use the toolbar icon.

Ah, that you can do, at least partially. In the settings for 1Password in your browser, turn off "Show autofill menu on field focus":

1P_Rob exactly. That in-line prompt will be weaponized at some point so it does show a password prompt, and a substantial minority of users will just think it's an upgrade (how many people still click links in inbound emails after all). It doesn't provide any real utility, causes UI problems when it pops up, and adds risk.

At the very least we need a way to turn it off and just use the toolbar icon.

1P_Rob I have not. I don’t use those browsers.

@dougl sorry, I think I'm still confused. There's no password field in the 1Password UI. Are you saying the fact that a 1Password icon is shown will cause someone to just start typing their account password?

Folks who are using this on a regular basis will not be expecting to type a password at all because we never ask them to, so it's not a muscle memory thing. And I have a hard time believing that folks who don't use this UI regularly will just assume they should type their password here.

As for a malicious actor, yeah, that will always be a threat, whether or not we have an inline menu.

@tiltowaitt yeah I think we have some things to work on there. Have you tried Chrome, Firefox, or Brave? I use Brave as a daily driver, and the extension is pretty snappy there.