CMS software WoltLab Suite: TOTP field not detected

DenalB
DenalB
Community Member
edited July 2021 in 1Password in the Browser

Actually, the "WoltLab Suite" is available in version 5.3. In this version, there is basically no possibility to enable 2FA. But there is an extension available which enables this feature, and it works like a charm with 1Password. The field for entering the TOTP is detected as it should be.

Here is a working example:

Now there is version 5.4 RC2 of the "WoltLab Suite" available for testing and here 2FA options are available. The problem is that the TOTP field is not detected anymore. So there is no possibility to autofill or manually fill the TOTP code. The only thing that works is drag and drop the code into the TOTP field.

Here's an example:

When comparing websites, you can see the differences between now and before.

Version 5.3 with extension installed:
<input type="text" name="twoStepCode" id="twoStepCode" autocomplete="one-time-code" required="" class="" data-com-onepassword-filled="light">

Version 5.4 RC2:
<input type="text" id="code" name="code" value="" class="multifactorTotpCode" inputmode="numeric" autocomplete="off" pattern="[0-9]*" autofocus="" required="" minlength="6" maxlength="6" placeholder="123456" size="6">

I asked the developer to change the naming of the field, but they don't want to change anything from their side.

Link to the developer of the CMS software:
https://www.woltlab.com

Link to the German discussion in the WoltLab-Community for that issue:
https://community.woltlab.com/thread/290984-einmalcode-automatisch-ausfüllen-passwort-manager/

If you register a new account on this website, you should be able to enable 2FA on https://www.woltlab.com/account-security/ and test this behavior. They already are using version 5.4 RC2.

I already collected website information with the help of the 1Password extension. I didn't have the possibility to save the collected information. I clicked the button and nothing happened... Did you get them?

The problem is that this issue will affect all websites which will be using the CMS software if it is available as a final release. Hopefully you can help here.


1Password Version: 1Password for Windows 8.1.2-2.BETA
Extension Version: 2.0.5.beta in Vivaldi
OS Version: Windows 10 21H1
Sync Type: 1Password.com

Comments

  • WoltLabTim
    WoltLabTim
    Community Member

    Hi

    @DenalB Thank you for creating this topic.

    Let me please clarify one paragraph of the initial message:

    I asked the developer to change the naming of the field, but they don't want to change anything from their side.

    The discussion in the linked German thread within WoltLab Community revolved around the use of autocomplete="off" vs autocomplete="one-time-code".

    As it turned out setting autocomplete="one-time-code" causes stock web browsers (without a password manager extension) to store and suggest previously used TOTP codes which we consider to be bad user experience.

    We're happy to accommodate changes to the field (e.g. a different name attribute) if this would help 1Password detecting this field. However the use of autocomplete="one-time-code" appears to worsen the UX for the majority of users that don't use 1Password.

  • DenalB
    DenalB
    Community Member

    Hi @WoltLabTim !

    Thanks for jumping in. :+1:

  • DenalB
    DenalB
    Community Member

    Just send the collected website information to you via email.

    Here's the ticket ID I got back: #AHV-16592-253

  • ag_ana
    ag_ana
    1Password Alumni

    @DenalB:

    Thank you! I confirm that I have managed to locate your message in our system :+1: We will take a look and someone will get back to your email as soon as possible.

    Thank you for your patience!

    ref: AHV-16592-253

  • DenalB
    DenalB
    Community Member

    Thanks, @ag_ana !

    and someone will get back to your email as soon as possible

    It would be okay to get back to me here, so that others also have the possibility to get this information. ;)

  • ag_ana
    ag_ana
    1Password Alumni
    edited July 2021

    @DenalB:

    Understood, I thought you wanted to keep the discussion private since you emailed us after opening the discussion on the forum :+1:

    Next time, please feel free to add the page details directly in the forum discussion then, so we keep everything in one place and we can reply in a single discussion without having to collect information from multiple places ;)

  • DenalB
    DenalB
    Community Member

    Next time, please feel free to add the page details directly in the forum discussion then, so we keep everything in one place

    Good to know! :+1:

  • ag_ana
    ag_ana
    1Password Alumni

    :+1: :)

  • ag_chantelle
    edited July 2021

    Hey @DenalB

    Just closing the loop and for others to have visibility here. Changing the label for the TOTP in your Login to match the HTML id of the field should serve as a good workaround here. I've made sure that this one is on our development team's radar for a future release.

    Thanks again for your efforts in helping us improve!

    ref: ref: dev/core/core#8583

  • DenalB
    DenalB
    Community Member
    edited July 2021

    Thank you very much, @ag_chantelle , for the workaround. It works as I told you via email. :+1:

    Now auto-filling works for the entry, the label of the one-time-field was changed to code.

    Looking forward to the implementation into the extension. ;)

  • Glad to hear it @dnalb :+1: Hopefully we'll see some positive changes for future updates.

  • WoltLabTim
    WoltLabTim
    Community Member

    @ag_chantelle Thank you for sharing this work-around. I realize that the current id="code" is awfully generic to detect the field based off the ID and it can lead to false-positives, as we also use the same name and id for the fields of the backup code mechanism.

    Can you please clarify whether any changes from us would help you detect this field more easily? It would be trivial for us to adjust the name and id to, say, totpCode, otpCode or something similar. However I don't want to apply this change without your confirmation to not work against your efforts.

  • @WoltLabTim - Thanks for reaching out and for your efforts to help here! Changing the name or id to something like one-time-code would definitely improve the chances that we would consider this field interesting and fillable.

    You might also find these links helpful:

    Of course, we'll be happy to provide further guidance - if needed. :)

  • WoltLabTim
    WoltLabTim
    Community Member

    Changing the name or id to something like one-time-code would definitely improve the chances that we would consider this field interesting and fillable.

    @ag_chantelle

    Can you please confirm that an id of one-time-code would be sufficient? We're aware of the one-time-code value of the autocomplete attribute, but we had to rule out the use of autocomplete="one-time-code" due to the bad behavior without password manager extensions (as mentioned in my first reply). However using id="one-time-code" + name="one-time-code" should work for us.

    If you confirm that you indeed mean name="one-time-code" and id="one-time-code" (not autocomplete="one-time-code") then I would file an issue for our software and implement the change after the weekend.

  • ag_yaron
    ag_yaron
    1Password Alumni

    Hey @WoltLabTim ,

    The word "code" is indeed too generic and does not provide 1Password with enough to go on in order to provide an autofill suggestion there, especially with the autocomplete="off" flag, which negates what little clues 1Password have here.

    Adjusting the name and id of the field to something such as one-time-code or simply onetimecode would definitely score higher in 1Password's autofilling logic and should suggest autofilling properly. Other keywords that you can use: twofactor, 6digitcode, 2step, generatedtoken.

    These all should work even if you have autocomplete="off" set in place.

  • WoltLabTim
    WoltLabTim
    Community Member
    edited July 2021

    @ag_yaron Thank you (and also Chantelle) for your insightful responses. A co-worker of mine went ahead and renamed the field to onetimecode ( https://github.com/WoltLab/WCF/pull/4392 ). We can confirm that 1Password now properly fills our TOTP field.

    For completeness our full HTML now looks like this:

    <input type="text" id="onetimecode" name="onetimecode" value="" class="multifactorTotpCode" inputmode="numeric" autocomplete="off" pattern="[0-9]*" autofocus required minlength="6" maxlength="6" placeholder="123456" size="6">
    
  • DenalB
    DenalB
    Community Member
    edited July 2021

    Thank you very much @WoltLabTim and co-worker! :+1:

    Also, I want to thank you, @ag_ana , @ag_chantelle and @ag_yaron for your help here! Great job!! :love:

  • ag_yaron
    ag_yaron
    1Password Alumni

    That's great to hear :)
    Well done!

This discussion has been closed.