Why does 2FA demand password and token in a single field?

[Patrick M. Hausen]

Hi all,

I am in the process of activating 2FA (TOTP) for all services that offer it. E.g. Github, our self hosted Gitlab, Hetzner, Paypal, ... you name it.

For all of these services the login procedure is the same:

1. Prompt for username and password. Sometimes first only username, <ENTER>, then password <ENTER>.
2. Then I am asked for the 6 digit one time token.

This works great because I have been using password safe software for years and the username and password get filled in automatically. Then I have one more step to enter the OTP. Perfect.

With OPNsense it seems there is only one prompt for username and password and you are supposed to append (or prepend depending on configuration) your OTP to the static password.

How is this expected to work? The password is filled in by the password manager. Visible as a bunch of dots or stars. If I append the OTP in that same field my browser asks me if I want to update the saved password for that service every single time.

WTF? What is the idea behind this completely insane user interface? Unless I get one prompt for fixed username and password and then a second one for the OTP, 2FA on OPNsense is unusable. Every other service I have ever used with TOTP does this.

Kind regards,
Patrick

[meyergru]

I think the rationale for this is the SSH login, where you only have username/password to enter and cannot have an additional step. However, one might as well have three WebUI input fields and concatenate the OTP to the password to pass it to the lower levels...

[Patrick M. Hausen]

Ah - I never use SSH with passwords after initial setup. Public key authentication used and password authentication disabled in our entire DC.

[Taomyn]

I think the rationale for this is the SSH login, where you only have username/password to enter and cannot have an additional step. However, one might as well have three WebUI input fields and concatenate the OTP to the password to pass it to the lower levels...

Depends on the SSH server - I have Bitvise SSH with OTP enabled, when using WinSCP+PuTTy they have no issues with the authentication request for an addition token code.


But I agree, having to manually append the token to the password is very old school now.

[Mks]

Public key authentication used and password authentication disabled in our entire DC.

Me too and this is how it should be.
However if you want to enforce 2FA for commands on the CLI (eg. for sudo) after SSH auth this is a way to enable that too.
But yes, a bit old-fashioned  ;)

br

[lilsense]

I think the rationale for this is the SSH login, where you only have username/password to enter and cannot have an additional step. However, one might as well have three WebUI input fields and concatenate the OTP to the password to pass it to the lower levels...

I believe this is incorrect. I login to many linux boxes with 2FA and I get the both as shown below...

ssh root@10.1.2.2
(root@10.1.2.2) Password:
(root@10.1.2.2) Verification code:

so not sure what the thought on either Web/SSH/SCP/etc... would be. I am Glad Patrick has noticed this. :D

[jclendineng]

Yes any modern SSH implementation does password then 2fa prompt, I think we need this as appending is not that useful

[tofflock]

Hi all,

I am in the process of activating 2FA (TOTP) for all services that offer it. E.g. Github, our self hosted Gitlab, Hetzner, Paypal, ... you name it.

For all of these services the login procedure is the same:

1. Prompt for username and password. Sometimes first only username, <ENTER>, then password <ENTER>.
2. Then I am asked for the 6 digit one time token.

This works great because I have been using password safe software for years and the username and password get filled in automatically. Then I have one more step to enter the OTP. Perfect.

With OPNsense it seems there is only one prompt for username and password and you are supposed to append (or prepend depending on configuration) your OTP to the static password.

How is this expected to work? The password is filled in by the password manager. Visible as a bunch of dots or stars. If I append the OTP in that same field my browser asks me if I want to update the saved password for that service every single time.

WTF? What is the idea behind this completely insane user interface? Unless I get one prompt for fixed username and password and then a second one for the OTP, 2FA on OPNsense is unusable. Every other service I have ever used with TOTP does this.

Kind regards,
Patrick

I concur with Patrick on this one - having to remember the password (because I can't use one from my password manager) and type it, and the OTP into the PW field is an absolute pain. 

Please could we have the separate OTP field as a New Year present  ;)

Thanks for all the hard word.

Seasons greetings to all

PeterF

[meyergru]

Actually, there is a rationale for asking both the password and the OTP at the same time: For example, with PSD2, there is a rule that when either one security factor fails, one must not disclose which one that was. Otherwise, you could still guess passwords.

This is independent of the way the interface is asking for both security factors, you could well have two separate input fields. However, asking for the OTP only after the password is correct is a giveaway, IMHO.

[Patrick M. Hausen]

I am not quite sure all the other systems I use present the OTP field only if the static password is correct. It would be good practice not to. I only ask for a static password field that can be filled in by a password management system and a separate OTP field.

Guess I'll give some web sites a test drive tomorrow.  ;) I'll report back.

[lilsense]

Actually, there is a rationale for asking both the password and the OTP at the same time: For example, with PSD2, there is a rule that when either one security factor fails, one must not disclose which one that was. Otherwise, you could still guess passwords.

This is independent of the way the interface is asking for both security factors, you could well have two separate input fields. However, asking for the OTP only after the password is correct is a giveaway, IMHO.

and what do you think your chances are guessing the constantly ever changing 6 digit number with the correct password?

[meyergru]

and what do you think your chances are guessing the constantly ever changing 6 digit number with the correct password?

Exactly one in a million. Counter question: If that is sufficient, why bother with a password at all?

BTW: PSD2 mandates an account lock after at most 5 unsuccessful tries. Why? Because even with a chance of one in a million an no lockout, the chance turns to 100%, if you try long enough. And as far as I remember, there is no lockout with OpnSense.

[Patrick M. Hausen]

So at least Github proceeds to the OTP entry only after a correct password was entered for the user in question and reports an "incorrect user name or password" otherwise.  :o

That's not ultra critical, but not optimal, either.

I guess this is due to the fact that 2FA is optional for that site.

[meyergru]

So at least Github proceeds to the OTP entry only after a correct password was entered for the user in question and reports an "incorrect user name or password" otherwise.  :o

That's not ultra critical, but not optimal, either.

I guess this is due to the fact that 2FA is optional for that site.

With Linux, this is mainly because PAM uses different required mechanism in order, regardless if 2FA is mandatory. If you follow the suggested way of configuring PAM to use TOTP, you will be presented with the verification code question only after the password is correct.

There is also no lockout, but you can rate-limit.