Page MenuHomePhabricator
Create Task
Maniphest T356004

Help password managers to detect TOTP login input
Open, Needs TriagePublic
Actions

Description

For months now, Proton Pass doesn't know when to suggest to fill in the token. I was expecting it to eventually correct itself upstream as the input is well specified, but I guess no. I don't remember if it was fine with Bitwarden, but on Android I met no problems.

Instead of asking individually passwords managers to correct their behavior, let's try to have a more precise input on what they expect, to help password managers detection.

Related Objects
Search...

Event Timeline

Lofhi created this task.Jan 28 2024, 3:04 AM
Restricted Application added a subscriber: Aklapper. · View Herald TranscriptJan 28 2024, 3:04 AM
Lofhi added a comment.Jan 28 2024, 3:06 AM

Phabricator does not offer to add a blocking task, so linking T313058 that wants to disable this mechanism.

Lofhi added a comment.EditedJan 28 2024, 3:16 AM

Nevermind, I was going to commit more HTML-validation attributes (inputmode="numeric" pattern="\d{6}" minlength="6" maxlength="6"), then I remembered that the same input is used for scratch tokens. Welp.

Even if Proton fixes it after I report it, I still think that the inputmode="numeric" could be a nice add.

Lofhi removed Lofhi as the assignee of this task.Jan 28 2024, 3:16 AM
Pppery reopened this task as Open.Jan 28 2024, 4:55 AM
Pppery closed this task as a duplicate of T316303: Check global rights during autocreation.
Pppery subscribed.

Oops, sorry, wrong task

Pppery unsubscribed.Jan 28 2024, 4:55 AM
XtexChooser subscribed.Jan 28 2024, 5:02 AM
Reedy subscribed.Jan 28 2024, 2:47 PM
In T356004#9492484, @Lofhi wrote:

Phabricator does not offer to add a blocking task, so linking T313058 that wants to disable this mechanism.

No it doesn't. That wants to turn off the autocomplete of previously entered entries to that box, same as T226049: When enabling 2FA, autocomplete is enabled when verifying 2FA, which follows on from T141735: AuthManager shouldn't allow the browser to show suggestions for input fields (autocomplete).

See also: T289086: Allow iOS/macOS/iPadOS to autofill 2fa codes

Reedy moved this task from Backlog to User Experience on the MediaWiki-extensions-OATHAuth board.Jan 29 2024, 6:36 PM
Reedy added a comment.Jan 31 2024, 4:59 PM
In T356004#9492486, @Lofhi wrote:

Even if Proton fixes it after I report it, I still think that the inputmode="numeric" could be a nice add.

Only if we hide the arrows...

Tgr subscribed.Apr 8 2024, 8:05 PM

See T151738: OATH code field should show numeric keyboard on mobile devices.

IMO we should separate the TOTP and scratch token fields (or use the same field but use JS to switch validation rules).

taavi added a subtask: T232336: Separate recovery codes into a separate 2FA module.Apr 20 2024, 10:22 AM
Tgr mentioned this in T150898: Force OATHAuth (2FA) for certain user groups in Wikimedia production and Beta wikis.Apr 10 2025, 3:17 PM
Alex44019 subscribed.Apr 12 2025, 2:16 PM
Tgr added a comment.Jul 8 2025, 10:31 PM

The (rather dumb) rules used by ProtonPass are described here. I guess we'd need to change the field name and ID.

Tgr reopened subtask T232336: Separate recovery codes into a separate 2FA module as Open.Jul 31 2025, 4:48 PM
sbassett closed subtask T232336: Separate recovery codes into a separate 2FA module as Resolved.Oct 3 2025, 8:38 PM
Content licensed under Creative Commons Attribution-ShareAlike (CC BY-SA) 4.0 unless otherwise noted; code licensed under GNU General Public License (GPL) 2.0 or later and other open source licenses. By using this site, you agree to the Terms of Use, Privacy Policy, and Code of Conduct. · Wikimedia Foundation · Privacy Policy · Code of Conduct · Terms of Use · Disclaimer · CC-BY-SA · GPL · Credits