Page MenuHomePhabricator

Help password managers to detect TOTP login input
Open, Needs TriagePublic

Description

For months now, Proton Pass doesn't know when to suggest to fill in the token. I was expecting it to eventually correct itself upstream as the input is well specified, but I guess no. I don't remember if it was fine with Bitwarden, but on Android I met no problems.

Instead of asking individually passwords managers to correct their behavior, let's try to have a more precise input on what they expect, to help password managers detection.

Event Timeline

Phabricator does not offer to add a blocking task, so linking T313058 that wants to disable this mechanism.

Nevermind, I was going to commit more HTML-validation attributes (inputmode="numeric" pattern="\d{6}" minlength="6" maxlength="6"), then I remembered that the same input is used for scratch tokens. Welp.

Even if Proton fixes it after I report it, I still think that the inputmode="numeric" could be a nice add.

Lofhi removed Lofhi as the assignee of this task.Jan 28 2024, 3:16 AM
Pppery closed this task as a duplicate of T316303: Check global rights during autocreation.
Pppery subscribed.

Oops, sorry, wrong task

Phabricator does not offer to add a blocking task, so linking T313058 that wants to disable this mechanism.

No it doesn't. That wants to turn off the autocomplete of previously entered entries to that box, same as T226049: When enabling 2FA, autocomplete is enabled when verifying 2FA, which follows on from T141735: AuthManager shouldn't allow the browser to show suggestions for input fields (autocomplete).

See also: T289086: Allow iOS/macOS/iPadOS to autofill 2fa codes

Even if Proton fixes it after I report it, I still think that the inputmode="numeric" could be a nice add.

Only if we hide the arrows...

See T151738: OATH code field should show numeric keyboard on mobile devices.

IMO we should separate the TOTP and scratch token fields (or use the same field but use JS to switch validation rules).