CMS software WoltLab Suite: TOTP field not detected

That's great to hear :)
Well done!

Thank you very much @WoltLabTim and co-worker! :+1:

Also, I want to thank you, @ag_ana , ag_chantelle and @ag_yaron for your help here! Great job!! :love:

@ag_yaron Thank you (and also Chantelle) for your insightful responses. A co-worker of mine went ahead and renamed the field to onetimecode ( https://github.com/WoltLab/WCF/pull/4392 ). We can confirm that 1Password now properly fills our TOTP field.

For completeness our full HTML now looks like this:


<input type="text" id="onetimecode" name="onetimecode" value="" class="multifactorTotpCode" inputmode="numeric" autocomplete="off" pattern="[0-9]*" autofocus required minlength="6" maxlength="6" placeholder="123456" size="6">


Hey @WoltLabTim ,

The word "code" is indeed too generic and does not provide 1Password with enough to go on in order to provide an autofill suggestion there, especially with the autocomplete="off" flag, which negates what little clues 1Password have here.

Adjusting the name and id of the field to something such as one-time-code or simply onetimecode would definitely score higher in 1Password's autofilling logic and should suggest autofilling properly. Other keywords that you can use: twofactor, 6digitcode, 2step, generatedtoken.

These all should work even if you have autocomplete="off" set in place.

Changing the name or id to something like one-time-code would definitely improve the chances that we would consider this field interesting and fillable.

ag_chantelle

Can you please confirm that an id of one-time-code would be sufficient? We're aware of the one-time-code value of the autocomplete attribute, but we had to rule out the use of autocomplete="one-time-code" due to the bad behavior without password manager extensions (as mentioned in my first reply). However using id="one-time-code" + name="one-time-code" should work for us.

If you confirm that you indeed mean name="one-time-code" and id="one-time-code" (not autocomplete="one-time-code") then I would file an issue for our software and implement the change after the weekend.

@WoltLabTim - Thanks for reaching out and for your efforts to help here! Changing the name or id to something like one-time-code would definitely improve the chances that we would consider this field interesting and fillable.

You might also find these links helpful:

• The HTML spec standard for autofilling: https://html.spec.whatwg.org/multipage/form-control-infrastructure.html#autofill
• Our basic guide for developers: https://support.1password.com/compatible-website-design/
• Additional sample forms we use to test filling (login, signup, credit card etc): https://fill.dev/

Of course, we'll be happy to provide further guidance - if needed. :)

ag_chantelle Thank you for sharing this work-around. I realize that the current id="code" is awfully generic to detect the field based off the ID and it can lead to false-positives, as we also use the same name and id for the fields of the backup code mechanism.

Can you please clarify whether any changes from us would help you detect this field more easily? It would be trivial for us to adjust the name and id to, say, totpCode, otpCode or something similar. However I don't want to apply this change without your confirmation to not work against your efforts.

Glad to hear it @dnalb :+1: Hopefully we'll see some positive changes for future updates.

Thank you very much, ag_chantelle , for the workaround. It works as I told you via email. :+1:

Now auto-filling works for the entry, the label of the one-time-field was changed to code.

Looking forward to the implementation into the extension. ;)

Hey DenalB

Just closing the loop and for others to have visibility here. Changing the label for the TOTP in your Login to match the HTML id of the field should serve as a good workaround here. I've made sure that this one is on our development team's radar for a future release.

Thanks again for your efforts in helping us improve!

ref: ref: dev/core/core#8583