9 Replies Latest reply on Sep 29, 2017 12:11 PM by trueme

    Better Domain / URL detection for Domains with Multiple Different Credentials

    niraj.shah

      The URL detection in True Key needs to be improved. I have a situation where I have a few different URLs on the same domain, but each URL has different credentials associated with them. Unfortunately, True Key doesn't detect this properly and attempts to login with incorrect credentials.

       

      For example:

       

      Domain 1: https://example.com uses Username1 and Password1

      Domain 2: https://example.com:8080 needs Username2 and Password2

       

      Unfortunately, True Key keeps attempting to login to Domain 2 with Username1 and Password1, and then showing the "Have trouble logging in?" banner. This issue also affects different folders / paths on the same domain.

       

      This issue was previously posted to https://feedback.truekey.com/truekey/topics/better-domain-url-detection-for-doma ins-with-multiple-credentials, but it went unanswered for weeks.

        • 1. Re: Better Domain / URL detection for Domains with Multiple Different Credentials
          marcd

          This is not so much of an issue as it is more of a great suggestion on something we should focus more to improve. In the next few weeks we will be releasing new versions that will have a better in-page detection model that we hope will alleviate some of this kind of experience, please keep letting us know if you find more issues going forward.

          Best regards,

          Marc D.

          • 2. Re: Better Domain / URL detection for Domains with Multiple Different Credentials
            niraj.shah

            Actually it is an issue and a important one at that. If the plugin can't detect differences in the URL, what's the point of forcing users to install the plugin? And then keep bugging us to install the plugin when we refuse to?

             

            The URL detection is do bad that True Key likes to use my https://community.mcafee.com/ credentials to log also log into: https://home.mcafee.com/

             

            Two different sites with completely different credentials. If that isn't an issue, I don't know what you consider one. It doesn't even need to be better "in-page detection". How about just looking at the URL of the page?

            • 3. Re: Better Domain / URL detection for Domains with Multiple Different Credentials
              marcd

              Agreed and I am not minimizing the importance of what you are reporting but as I said since we will be introducing a drastic change with the in-page detection model, and it would not make any sense to work on fixing this issue since the model will be a complete different one.            I suggest to see within our next 2 new version releases if the issue you are bringing to us has been dealt with, otherwise I will encourage you to submit a ticket to our support team so it can be properly escalated to us.

              Thanks,

              Marc D.

              • 4. Re: Better Domain / URL detection for Domains with Multiple Different Credentials
                niraj.shah

                Thanks. I will look out for the updates and see if they resolve my issue.

                • 5. Re: Better Domain / URL detection for Domains with Multiple Different Credentials
                  marcd

                  Just to add to this thread, we have never supported a sub domain with a port number and most likely the next few versions wont change anything on the ports detection as part of a sub domain.

                  Marc D.

                  • 6. Re: Better Domain / URL detection for Domains with Multiple Different Credentials
                    catdaddy

                    We Mods appreciate your attention to detail and immense Product knowledge. And your responding to our requests.

                     

                    All the Best

                    Thank you Marc

                     

                    Cliff/CD

                    • 7. Re: Better Domain / URL detection for Domains with Multiple Different Credentials
                      isaacchua

                      Hey Marc,

                       

                      I think there are several possible user preferences on the site matching and auto-fill/login features (they are linked).

                       

                      For site matching feature, these parameters are possible:

                      • Protocol (e.g. http, https, ftp, etc.)
                      • Host (e.g. example.com, www.example.com, *.example.com, etc., domain/sub-domain matching)
                      • Port (e.g. example.com:8080, example.com:80, and even the lack of specification of a port)
                      • Path (e.g. example.com/path/to/login, etc.)
                      • Multiple combinations of these for a set of usernames/passwords (in my country, the nation-wide ticketing agent has multiple websites with completely different domain names, but one can log into any of them with the same account — poor SSO architecture I know, but that's the way it is**)

                      ** Side question: Does True Key support multiple domains for one set of credentials?

                       

                      For the auto feature, these parameters are possible:

                      • Auto-login (True Key auto-fills the credentials that best matches and logs in automatically — but this will require as precise a matching as possible)
                      • Auto-fill (True Key auto-fills the credentials but does not log in)
                      • No auto-fill nor login (True Key does not do anything; it is up to the user to choose and fill, but will not require a very precise matching)
                        • Under the above category: Single field manual fill (the user can choose which field True Key stores to fill into the selected field — Keeper has this feature for instance)

                       

                      The thread starter above prefers a stricter matching which includes both the host and port, and auto-login, as defined above.

                       

                      On the other hand, I prefer a looser matching — as long as the domain (example.com) matches, regardless of the subdomain, port, path, or protocol, I would like the credential to show up as an option. And I want no auto-fill nor login — I do not want the site to have my credentials pasted into, even though it's just on the browser, unless I explicitly tell the plugin to do so. Put another way, the auto behaviour I'd prefer is similar to Keeper's.

                       

                      Because of the wide spectrum of preferences, and the complexity that could confuse users if the full customisation features above are, may I propose:

                      1. Let users primarily choose one of the auto feature of "auto-login"-"auto-fill"-"none".
                      2. Under "Advanced Matching Settings" or similar, give the user the options to:
                        • Host matching: Exact (i.e. subdomains must be equal), or Domain only (i.e. as long as the domain part matches, it qualifies)
                        • Port matching: Exact, or Any
                        • Any other matching setting as appropriate
                        • Note that these matching settings should simply shortlist the credentials that the user may use in the site. If there is only one matching credential, and "auto-login" or "auto-fill" is selected, the app should proceed to fill automatically. If there is more than one, the app should not fill anything, and let the user to select the correct credential to fill (similar to the "none" case).
                      3. Let users specify more than one URL per credential.
                      4. A possibility might be to allow the user to search for any credential in the database to fill (in another screen) whenever he wants to (such as if none of the credentials according to the matching settings in point 2 match the current site, but of course, making it easy this way will make it easier for people to fall for phishing attacks.

                       

                      Taken together, this should make a better product that fits the needs of a wide spectrum of users.

                       

                      Isaac

                      • 8. Re: Better Domain / URL detection for Domains with Multiple Different Credentials
                        marcd

                        All these are great points, I will convey them to the right team so they can be taken in account.

                        Thanks,

                        Marc D.

                        • 9. Re: Better Domain / URL detection for Domains with Multiple Different Credentials
                          trueme

                          Niraj,

                           

                          Just as an aside workaround, if you manually add your second credential for the same domain (domain.com and domain:8080) - you should get prompted with both sets each time you go to example.com or example.com:8080. Turn off auto-login and you should be good. Just select the right login for the site being accessed. That is if the plugin is working right, currently I have lost the multiple account popup on Firefox but it still works on Edge.

                           

                          Also, if you select to launch access via a TK tab via Launch Pad that should also work with the proper URL manually added for each site. Not as seamless as native detection but it should work.