I've been playing with the OTP in OPNsense and have come to the conclusion that the current implementation is getting in the way of password managers. The reason is that by concatenating the OTP digits to the password in the same input field makes the password manager believe that the user has changed the password and offers to update it in its database, invalidating the password. So, every time logging in with the password manager active, the update needs to be cancelled. This makes OTP usage awkward. I'd like to suggest to do what every other websites does and provide separate fields for password and OTP code.
Btw, are there any plans to support passkeys?
That problem seems to be on the list, but with no firm release date: https://github.com/opnsense/core/issues/8239
Similarly it would be great if one could enforce 2FA per user instead of just globally by disabling simple password login.
Thanks for looking this up, meyergru. The discussion on github is taking a wrong turn, in my opinion. Other 2FA enabled systems use a two step approach, the 2FA only being queried after the account and password screen. The point is, the second screen will always be displayed, regardless of the correctness of the account/password pair, thus not giving away any indication of the correctness of the info in the first.
+1 for Patrick's point
As I already said in the discussion, I think most password managers will work with a third field on the screen which does not have to be filled when only 1FA is active. That way, you can check both credentials at once, giving away nothing. And neither does that change give away the OpnSense version - or at least not any more than it is now, given that JS and CSS files are not password protected and have all relevant versions in them to pinpoint the exact OpnSense release.
If you always present a followup screen for the 2nd factor, you will make most people mad for having to do an additional step at login, when they do not even want 2FA
This is even more true when Patrick's wish is granted, because then, you cannot discriminate on 2FA being enabled globally.