Forum Discussion
How to prevent one-time code from autofilling?
I'd like to use 1password for my authenticator, but not if it autofills the 6 digit code. That completely removes the security I need.
Is there a way to prevent the autofilling of this information or do I need to use a separate authenticator?
Hi paulcola,
I'm sorry logging into the Community was so onerous! If we can be of any help, please don't hesitate to email community@1password.com and we're happy to assist. I appreciate you persevering to share what functionality you're looking for.
8 Replies
I agree the core issue is not just autofill itself, but the fact that all credentials, including the TOTP code, are accessible in the same environment during the period that a password manager is unlocked. That is the vulnerability I am focused on.
I do use lock timers, but as you said, the extension may stay unlocked even when the desktop app locks, depending on the settings. And if a hijack happens while the vault is open... full exposure.
Sure, there is theory vs likely. But I am trying to create a workflow where the second factor is not available in the same environment as the first. For now, keeping TOTP outside my password manager is the best way to do that, in my opinion. There are probably many other what ifs we could challenge, too!Thanks for the thoughtful response. The scenario I’m concerned about is this: if a hacker hijacks my browser and gains access to an active session, such as Facebook, I can log them out from another device. That invalidates the session token and forces a re-login.
At that point, the second factor becomes critical. If my username, password, and TOTP code are all stored in the same place and autofill in the browser, the attacker can log right back in without needing my phone or any separate device. That removes the entire point of two-factor authentication. It turns two factors into one.
If everything is bundled together and autofills from the same browser session, then it’s functionally no different from using a single strong password. I mean, if everything autofills in the browser, what’s the point of 2FA in the first place?
I understand the argument for convenience, but in my case, I’m specifically trying to protect against post-compromise access.
In the scenario you describe the hacker uses an unspecified method take full control of your browser while you are logged in to Facebook and does unspeakable things as you on Facebook until you notice and revoke or end that Facebook session from another device.
As you say, since the hacker still has full control of your browser, they can (unless some other access control is used) log back in to Facebook using your credentials available via the 1Password extension. Whether any of these are autofilled is incidental.Again, it sounds like you are concerned about having all credentials accessible in the same manner, i.e. via 1Password, rather than anything related to autofill.
A mitigation for this is locking 1Password, which can be done in the browser with clicking or the keyboard shortcut Shift-Control-l. The scenario doesn't exist if 1Password has automatically locked either with the desktop screen or as a result of the timer, so the hijack is constrained to the moments during which you have 1Password unlocked in order to give access to your secrets...
While writing that I realise that I've not included the relationship between the browser extension and the desktop client in a "hijack" situation. The connection is not required and the extension settings are accessible while locked, however switching from the desktop client integration to "cloud" requires your master password, but if you are already using "cloud" and have unlocked it...
The configurable timer or status for locking the 1Password extension depends on the desktop environment rather than the elapsed time since the access was unlocked in the extension. I'm not sure if having a setting to also control that would be sufficiently useful.These kind of risk assessments are fun, but get complicated quickly. In this one we are glossing over the circumstances of the full control of the browser, which would be way more complicated than stealing session cookies.
Thanks for your responses and for your time! I tried logging in here last night, it didn't work. But now, for some reason, I'm on my browser on my desktop and it, fortunately, remembered my first login. I appreciate your help and time! I understand the convenience of having 2FA autofill, but that removes a layer of security I can't afford. Thanks for the instructions.
- 1P_SimonH
Community Manager
Hi paulcola,
I'm sorry logging into the Community was so onerous! If we can be of any help, please don't hesitate to email community@1password.com and we're happy to assist. I appreciate you persevering to share what functionality you're looking for. Hilarious. I had to create a second account just to answer this question. I'm the OP with a different user because my password didn't work. I changed it by using Forgot Password. But when entering the new password, it wouldn't let me in (said it didn't recognize user or password). Then I changed it again, same thing. This along with many other weird ways 1password has acted during my testing (too many to list) has driven me away from using it. But i appreciate your response.
I wanted to at least say if I ever got a browser hijack (which has happened), then having the browser produce the 6 digit one time code completely removes the security that 2FA offers. If someone gets a hold of my laptop and gets into my browser, they don't need my phone to log into my sites. If a hacker hijacks my browser, they have instant access to anything I have (had) access to.Anyway, if you reply and I don't, it's probably 1password community locking me out again for whatever reason. lol. Thanks for your time!
I wanted to at least say if I ever got a browser hijack (which has happened), then having the browser produce the 6 digit one time code completely removes the security that 2FA offers.
There are several browser compromise scenarios with different risks. Probably the worst and most common is token stealing, from which no previously used authentication process will protect.
I'm struggling to imagine the scenario in which you are using the 1Password extension in the browser and have all the credentials for a web site stored in 1Password, but autofilling (only) the TOTP code adds a risk.
Storing TOTP keys and passkeys outside 1Password mitigates risks not obviously related to autofilling at the cost of convenience and simplicity.Using separate browser profiles, not storing site data beyond the session, and establishing a habit of logging out of sites and services goes a very long way to protect against many current realistic threats - even having your laptop stolen while in active use by an adversary wanting to access your data, which I hope is very unlikely in your case.
PS. I sympathise with your authentication struggles for reasons I won't mention here out of sympathy for poor, kind, and patient 1P_SimonH.
You can configure the Login item to not autofill in the extension with ⁝, ⚙ Don't sign in automatically
What is "the security [you] need" which precludes filling a MFA/2FA/TOTP code which you chose 1Password to generate?
