Protect what matters – even after you're gone. Make a plan for your digital legacy today.
Forum Discussion
Solved
How to prevent one-time code from autofilling?
I'd like to use 1password for my authenticator, but not if it autofills the 6 digit code. That completely removes the security I need. Is there a way to prevent the autofilling of this informatio...
Hi paulcola,
I'm sorry logging into the Community was so onerous! If we can be of any help, please don't hesitate to email community@1password.com and we're happy to assist. I appreciate you persevering to share what functionality you're looking for.
Thanks for the thoughtful response. The scenario I’m concerned about is this: if a hacker hijacks my browser and gains access to an active session, such as Facebook, I can log them out from another device. That invalidates the session token and forces a re-login.
At that point, the second factor becomes critical. If my username, password, and TOTP code are all stored in the same place and autofill in the browser, the attacker can log right back in without needing my phone or any separate device. That removes the entire point of two-factor authentication. It turns two factors into one.
If everything is bundled together and autofills from the same browser session, then it’s functionally no different from using a single strong password. I mean, if everything autofills in the browser, what’s the point of 2FA in the first place?
I understand the argument for convenience, but in my case, I’m specifically trying to protect against post-compromise access.
In the scenario you describe the hacker uses an unspecified method take full control of your browser while you are logged in to Facebook and does unspeakable things as you on Facebook until you notice and revoke or end that Facebook session from another device.
As you say, since the hacker still has full control of your browser, they can (unless some other access control is used) log back in to Facebook using your credentials available via the 1Password extension. Whether any of these are autofilled is incidental.
Again, it sounds like you are concerned about having all credentials accessible in the same manner, i.e. via 1Password, rather than anything related to autofill.
A mitigation for this is locking 1Password, which can be done in the browser with clicking or the keyboard shortcut Shift-Control-l. The scenario doesn't exist if 1Password has automatically locked either with the desktop screen or as a result of the timer, so the hijack is constrained to the moments during which you have 1Password unlocked in order to give access to your secrets...
While writing that I realise that I've not included the relationship between the browser extension and the desktop client in a "hijack" situation. The connection is not required and the extension settings are accessible while locked, however switching from the desktop client integration to "cloud" requires your master password, but if you are already using "cloud" and have unlocked it...
The configurable timer or status for locking the 1Password extension depends on the desktop environment rather than the elapsed time since the access was unlocked in the extension. I'm not sure if having a setting to also control that would be sufficiently useful.
These kind of risk assessments are fun, but get complicated quickly. In this one we are glossing over the circumstances of the full control of the browser, which would be way more complicated than stealing session cookies.
