Logging into 2 Page Logins

[CerebralFreeze]

Overview

Unfortunately, I'm unable to log into websites that use 2 web pages for the login process. The 1st page is for the username. The 2nd page is for the password. I'm assuming they deliberately use this process for security reasons as it does prevent KeePassXC from correctly identifying fields and placing the login or password icon at the right side of the entry field. Many websites have started to use this process like Amazon, Gmail, Google, etc.

Steps to Reproduce

1. Go to Amazon and press the login button.
2. If you use the browser extension to Choose Custom Login Fields, it will correctly identify the field for the username.
3. After entering the login, the website takes you to the next web page which is the step in which you enter the password. Now, if you use the browser extension to Choose Custom Login Field, it cannot identify the field for password. Let me take that back. It can correctly identify the field except it will remove the identification of the username field. So, the next time you try to log in, the username field won't be correctly identified anymore. Essentially, KeePassXC can only correctly identify 1 of the 2 fields. If you make KeePassXC identify the username field, it can't identify the password field. If you make KeePassXC identify the password field, it can't identify the username field.

Expected Behavior

Correct identification of both the username and password fields with the placement of the KeePassXC icon at the far right side of the field.

Actual Behavior

Only 1 of the 2 fields can be correctly identified by KeePassXC. Currently, I have the KeePassXC icon placed in the password field since it's harder to memorize and type in.

Context

I'm assuming that websites have instituted this login process to thwart hackers as the domain name is the same for two web pages. I'm assuming that this confuses a hacker's program. But, it also confuses KeePassXC apparently.

KeePassXC - Version 2.6.2 Revision: e9b9582

Qt 5.15.1 Debugging mode is disabled.

Operating system: Windows 10 Version 2004 CPU architecture: x86_64 Kernel: winnt 10.0.19041

Enabled extensions:

• Auto-Type
• Browser Integration
• SSH Agent
• KeeShare (signed and unsigned sharing)
• YubiKey

Cryptographic libraries: libgcrypt 1.8.6

Operating System: Windows 10 Desktop Env: Windows Finder, Directory Opus

[varjolintu]

What's the extension version you are using? With 1.7.2 Amazon etc. should be regognized automatically without the need of using Custom Login Fields or Site Preferences.

[CerebralFreeze]

Hey Varjolintu, (By the way, is Varjo your first name?)

Please tell me how you do it! Pretty please. I'm using extension version is 1.7.2. I can't log into Amazon and Gmail right away which is extremely annoying when I use certain websites. Every time when I need to purchase from Amazon (which I do a few times every day for my small business), I have to type in my username. (Amazon always logs you out automatically.) With Gmail, I have to type in my username and then select the password from a very long list every morning. (I have maybe like 30 Gmail accounts.) I use 4 different Gmail accounts every day so it's annoying to open each one separately. I converted my email program from Outlook to Gmail web but now I'm thinking of spending a 1000000 hours to convert all my email back to Outlook because it's getting annoying.

Please tell me how you did it! What settings do you use? The following are the checked options in settings in my browser extension:

General USER INTERFACE Activate username field icons Activate password generator icons Show notifications

FILLING CREDENTIALS Automatically retrieve credentials Activate autocomplete for username fields Auto-submit login forms Automatically fill in single-credential entries

SAVE CREDENTIALS Show a banner on the page when new credentials can be saved to the database. Always ask where to save new credentials Save domain only Number of allowed redirects: 5

ADVANCED SETTINGS Use dynamic input field detection Save domain only Use predefined sites for compatibility

Should I uncheck any of the above options?

[varjolintu]

I don't use anything extra for Amazon. It just works. Same with GMail. I don't use Auto-submit.

[CerebralFreeze]

I think I tried every combination of settings. I can't get it to work. The URL for the login page and the password page are the same. Can KeePassXC recognize that the webpage has changed even though the URL hasn't?

I don't use anything extra for Amazon. It just works. Same with GMail. I don't use Auto-submit.

[varjolintu]

It can, and Amazon with GMail is the most tested ones.

[AriesFR]

Hi, I have an issue when enabling the Amazon two-factor authentication using an external app. Either the password page or the TOTP page work, but not both. Natively, the password page is OK, but the TOTP is not proposed, and if I chose custom identification fields to setup the TOTP, then the password page is not auto-filled anymore. I believe the solution would be to be able to select custom fields by page and not by site. Also, being able to edit the page URL to be more discriminating (use a path after the site name filter) would also be great. Hope it helps, AriesFR

[varjolintu]

@AriesFR Can you still fill the TOTP using context menu or a keyboard shortcut?

[AriesFR]

Thanks @varjolintu. Yes, I can use the menu or the shortcut, but it would be much easier to just click on the usual ellipsis icon in the box... if it existed. Sorry, I know I'm lazy ;) What I saw when I digged a little to find out wher my issue was, is that those two pages obviously use different URLs (https://www.amazon.fr/ap/signin?... and https://www.amazon.fr/ap/mfa?...) and that simple filter would do the trick. Cheers, AriesFR

[varjolintu]

@AriesFR This definitely needs some special handling. I see what I can do about it.

EDIT: Actually the problem lies with Amazon's 2FA field, as it defines the maxLength as 20. We ignore 2FA fields with longer than 10. So the special handling will need to be made only for the 2FA field check.

[varjolintu]

@AriesFR #1142 will probably help you :) Just wait for the next version.

[AriesFR]

Thanks @varjolintu, that looks excellent!

[frederickjh]

I am seeing the same thing on the 2FA field on www.drupal.org which has a maxLength of 128. I have the newest version of the beepassxc-browser plugin 1.7.4 and still the 2FA field is not recognized. I do not have custom fields or site preferences assigned for this website.

The login URL is: https://www.drupal.org/user/login While the 2FA URL is something like : https://www.drupal.org/system/tfa/######/XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX

I have the login URL above in KeepassXC and two additional URLS in Browser Integration: https://www.drupal.org/ and https://www.drupal.org/system/tfa.

I am not sure if it is best to only add the domain name in the Additional URLs or the exact page URL. In the case of the www.drupal.org 2FA page the URL is different each time. The last part of the string the Xs changes. They also have a query string defined after the URL to send the user back to the page they came from that looks like this: ?destination=node/2958929. I get the thought that these query strings are not being handle properly by the extension. I think that as they can be different each time they should be ignored when trying to match a page for the login or 2FA page. So it ends up looking like https://www.drupal.org/system/tfa/######/XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX?destination=node/2958929

[varjolintu]

@frederickjh Sorry for the late answer, but it should be enough to use just https://drupal.org in your entry as the URL.

[jurgenhaas]

I came across the same issue over at #1649 and then found this one here. And I tried setting the maxlength=6 on that code field for TOTP input, then it works just fine. I'm using version 1.8.1 of the browser plugin, so the mentioned fix above doesn't seem to work here.