When you use 1Password in your browser, Autofill lets you to sign in to apps and websites, fill credit card information, and complete forms without opening the 1Password app. Many considerations go into the design of Autofill behavior.
Technical considerations
1Password generally considers the security boundary of Autofill to be the action of filling your items. After you decide to fill your information, the responsibility of that item’s security transfers to you.
User input
1Password makes every effort to verify it’s not filling restricted items on incorrect websites. For example, 1Password will never Autofill without your input, even when there’s only one suggested item available. Your input prevents unwanted visibility of your information and functions as an anti-phishing mechanism.
iframe elements
1Password will autofill credit card information across iframe elements with different origins. Payment forms are often designed with credit card numbers in one iframe and security codes in another. Without this support, 1Password couldn’t fill credit card details on a vast number of e-commerce websites.
1Password won’t autofill a Login item in an iframe if that item’s URL doesn’t match the origin of the iframe. Although this is a security measure, it may result in partial filling of, or in some cases, a failure to fill the item.
Hidden fields
1Password uses a variety of checks to avoid filling hidden fields unless you’re filling an Identity item. 1Password will Autofill hidden identity fields if they meet a certain criteria and there’s another visible field of a similar kind. This check aids in proper filling of forms with conditional or dynamic fields.
Identity alerts
1Password won’t alert you before you fill an Identity item. Identity items contain Personally Identifiable Information (PII) but don’t contain restricted or secret fields.
Risk considerations
By default, 1Password will automatically submit filled forms to save you time and additional steps. This feature comes with some unwanted behavior because there’s no consistent standard for HTML structure or web page design. We continue to work to refine the process while balancing security and usability.