search

infobyte / faraday

Open Source Vulnerability Management Platform
https://www.faradaysec.com
GNU General Public License v3.0
4.72k stars 875 forks source link

2FA field cannot be filled via Ctrl-V #457

Open V0idC0de opened 1 year ago

V0idC0de commented 1 year ago

What's the problem this feature will solve? When logging in, the TOTP field is divided into 6 individual input fields. While manually entering digits moves the cursor to the next field automatically, this behavior doesn't apply to using Ctrl-V to enter codes, i.e. when using a password manager generating TOTPs or pasting it otherwise.

Describe the solution you'd like Input fields should respond to pasting 6 digits into any of them, by properly entering them into the 6 individual fields. Additionally, the "Submit" may be triggered automatically, after 6 digits are entered (but this is a design decision left to you - I'd like it).

Users can then paste the TOTP and are logged in automatically, mitigating the need to paste the code somewhere and then type it in digit by digit.

Alternative Solutions Input fields for TOTP code could be merged into one, enabling pasting codes, while keeping easy manual typing.

Additional context

ezk06eer commented 1 year ago

@V0idC0de the way chosen and not allowing ctrl+v is done to prevent the hijack of the code, it is supposed a users logins once a day into faraday. we will let the product team to know about this suggestion but is not either a bug or a problem.

V0idC0de commented 1 year ago

Hi @ezk06eer. thanks for responding so quickly. Yes, I didn't consider this a bug either, hence I opened it as a feature idea/request. I've seen the suggested behavior on other sides, which either do the scripted insertion described earlier or just use a single field, which is compatible with pasting the code.

How 6 individual fields prevent a hijacking scenario isn't quite clear to me, but I'll leave that design choice to you. As reference, I'd name sites like PayPal or Azure/O365 Authentication. Unfortunately, I cannot name an example for the scenario of 6-fields with a script properly inserting everything when something is pasted into them, but it definitely exists. Password managers capable of generating TOTP codes are just as common - Bitwarden and Lastpass, to name two.

ezk06eer commented 1 year ago

Hi @V0idC0de, i will post this suggestion in our product channel, thanks a lot for the feedback.

Faraday Team.