CMS software WoltLab Suite: TOTP field not detected
Actually, the "WoltLab Suite" is available in version 5.3. In this version, there is basically no possibility to enable 2FA. But there is an extension available which enables this feature, and it works like a charm with 1Password. The field for entering the TOTP is detected as it should be.
Here is a working example:
Now there is version 5.4 RC2 of the "WoltLab Suite" available for testing and here 2FA options are available. The problem is that the TOTP field is not detected anymore. So there is no possibility to autofill or manually fill the TOTP code. The only thing that works is drag and drop the code into the TOTP field.
Here's an example:
When comparing websites, you can see the differences between now and before.
Version 5.3 with extension installed:<input type="text" name="twoStepCode" id="twoStepCode" autocomplete="one-time-code" required="" class="" data-com-onepassword-filled="light">
Version 5.4 RC2:<input type="text" id="code" name="code" value="" class="multifactorTotpCode" inputmode="numeric" autocomplete="off" pattern="[0-9]*" autofocus="" required="" minlength="6" maxlength="6" placeholder="123456" size="6">
I asked the developer to change the naming of the field, but they don't want to change anything from their side.
Link to the developer of the CMS software:
https://www.woltlab.com
Link to the German discussion in the WoltLab-Community for that issue:
https://community.woltlab.com/thread/290984-einmalcode-automatisch-ausfüllen-passwort-manager/
If you register a new account on this website, you should be able to enable 2FA on https://www.woltlab.com/account-security/ and test this behavior. They already are using version 5.4 RC2.
I already collected website information with the help of the 1Password extension. I didn't have the possibility to save the collected information. I clicked the button and nothing happened... Did you get them?
The problem is that this issue will affect all websites which will be using the CMS software if it is available as a final release. Hopefully you can help here.
1Password Version: 1Password for Windows 8.1.2-2.BETA
Extension Version: 2.0.5.beta in Vivaldi
OS Version: Windows 10 21H1
Sync Type: 1Password.com
Comments
-
Hi
@DenalB Thank you for creating this topic.
Let me please clarify one paragraph of the initial message:
I asked the developer to change the naming of the field, but they don't want to change anything from their side.
The discussion in the linked German thread within WoltLab Community revolved around the use of
autocomplete="off"vsautocomplete="one-time-code".As it turned out setting
autocomplete="one-time-code"causes stock web browsers (without a password manager extension) to store and suggest previously used TOTP codes which we consider to be bad user experience.We're happy to accommodate changes to the field (e.g. a different
nameattribute) if this would help 1Password detecting this field. However the use ofautocomplete="one-time-code"appears to worsen the UX for the majority of users that don't use 1Password.0 -
Hi @WoltLabTim !
Thanks for jumping in. :+1:
0 -
Just send the collected website information to you via email.
Here's the ticket ID I got back: #AHV-16592-253
0 -
Understood, I thought you wanted to keep the discussion private since you emailed us after opening the discussion on the forum :+1:
Next time, please feel free to add the page details directly in the forum discussion then, so we keep everything in one place and we can reply in a single discussion without having to collect information from multiple places ;)
0 -
Next time, please feel free to add the page details directly in the forum discussion then, so we keep everything in one place
Good to know! :+1:
0 -
:+1: :)
0 -
Hey @DenalB
Just closing the loop and for others to have visibility here. Changing the label for the TOTP in your Login to match the HTML
idof the field should serve as a good workaround here. I've made sure that this one is on our development team's radar for a future release.Thanks again for your efforts in helping us improve!
ref: ref: dev/core/core#8583
0 -
Thank you very much, @ag_chantelle , for the workaround. It works as I told you via email. :+1:
Now auto-filling works for the entry, the label of the one-time-field was changed to
code.
Looking forward to the implementation into the extension. ;)
0 -
Glad to hear it @dnalb :+1: Hopefully we'll see some positive changes for future updates.
0 -
@ag_chantelle Thank you for sharing this work-around. I realize that the current
id="code"is awfully generic to detect the field based off the ID and it can lead to false-positives, as we also use the samenameandidfor the fields of the backup code mechanism.Can you please clarify whether any changes from us would help you detect this field more easily? It would be trivial for us to adjust the
nameandidto, say,totpCode,otpCodeor something similar. However I don't want to apply this change without your confirmation to not work against your efforts.0 -
@WoltLabTim - Thanks for reaching out and for your efforts to help here! Changing the
nameoridto something likeone-time-codewould definitely improve the chances that we would consider this field interesting and fillable.You might also find these links helpful:
- The HTML spec standard for autofilling: https://html.spec.whatwg.org/multipage/form-control-infrastructure.html#autofill
- Our basic guide for developers: https://support.1password.com/compatible-website-design/
- Additional sample forms we use to test filling (login, signup, credit card etc): https://fill.dev/
Of course, we'll be happy to provide further guidance - if needed. :)
0 -
Changing the name or id to something like one-time-code would definitely improve the chances that we would consider this field interesting and fillable.
Can you please confirm that an
idofone-time-codewould be sufficient? We're aware of theone-time-codevalue of theautocompleteattribute, but we had to rule out the use ofautocomplete="one-time-code"due to the bad behavior without password manager extensions (as mentioned in my first reply). However usingid="one-time-code"+name="one-time-code"should work for us.If you confirm that you indeed mean
name="one-time-code"andid="one-time-code"(notautocomplete="one-time-code") then I would file an issue for our software and implement the change after the weekend.0 -
Hey @WoltLabTim ,
The word "code" is indeed too generic and does not provide 1Password with enough to go on in order to provide an autofill suggestion there, especially with the
autocomplete="off"flag, which negates what little clues 1Password have here.Adjusting the name and id of the field to something such as
one-time-codeor simplyonetimecodewould definitely score higher in 1Password's autofilling logic and should suggest autofilling properly. Other keywords that you can use: twofactor, 6digitcode, 2step, generatedtoken.These all should work even if you have
autocomplete="off"set in place.0 -
@ag_yaron Thank you (and also Chantelle) for your insightful responses. A co-worker of mine went ahead and renamed the field to
onetimecode( https://github.com/WoltLab/WCF/pull/4392 ). We can confirm that 1Password now properly fills our TOTP field.For completeness our full HTML now looks like this:
<input type="text" id="onetimecode" name="onetimecode" value="" class="multifactorTotpCode" inputmode="numeric" autocomplete="off" pattern="[0-9]*" autofocus required minlength="6" maxlength="6" placeholder="123456" size="6">
0 -
Thank you very much @WoltLabTim and co-worker! :+1:
Also, I want to thank you, @ag_ana , @ag_chantelle and @ag_yaron for your help here! Great job!! :love:
0 -
That's great to hear :)
Well done!0
