Auto-fill TOTP code

I’m attempting a migration from KeePassXC + KeePassHttp-Connector which, with a little bit of setup, I had auto-filling of TOTP codes working. It was incredibly convenient to have my username and password filled, hit next, and then have my TOTP code filled, then hit submit and be logged in.

Right now, the best experience with Bitwarden in Firefox is to manually click the extension icon, then click the entry to fill it (which copies the TOTP code to the clipboard), then hit next, then paste the TOTP code in, and then hit submit. Unfortunately, copying the TOTP code to the clipboard does not work with auto-fill on page load, leaving us with this required manual sequence.

The best convenience would be for the extension to not only auto-fill the username and password, but also auto-fill the TOTP code too.

We’d probably need a way to allow the user to modify an entry’s form-fill matching, so they could save to the entry which field is the TOTP field for each site.

Since we have a matching algorithm for auto-filling custom fields, my back-of-the-napkin suggestion would be to provide a special value such as {TOTP} (used by the KeePassXC+Connector) or a new custom field TOTP type, and then fill in the current TOTP code if the custom field matched using the existing algorithm.

Prior GitHub issue.

1 Like

In addition to this, I’d like to suggest Authy’s OneTouch Login feature. But as the dev replied, Authy has been charging fees to use this feature. (Just as told here. Please check the comments.)

So I guess the only option we have that is “more convenient” to instant login is with Duo’s push notification on mobile as a premium feature.

That’s a nice feature to have, in my opinion, but I guess it wouldn’t be available so soon.

EDIT: This might be a duplicate. More discussion about TOTPs here:

The best convenience would be for the extension to not only auto-fill the username and password, but also auto-fill the TOTP code too.

What is the added value of 2FA/TOTP when the username, password and also the TOTP secret are stored in 1 place?

At a workplace, or even at home, a compromised master password is the most likely scenario. People stand over your shoulder all the time, sometimes without you even knowing.

They can gain your master password and therefore all the individual passwords. But with a true 2-Factor (as opposed to 2-Step) Authentication, they wouldn’t be able to access the services without your phone (which you hopefully don’t leave lying on the desk, or at least it’s locked).

Also keyloggers.

1 Like

Then lock your Bitwarden account with 2FA that use a different app like Authy.

The whole debate on whether or not you should keep 2FA codes in your password manager is crazy to me. Sure, it’s not truly second factor but most people who use 2FA also use the app on the same phone that has their password manager on it anyways.

1 Like

The phone (with password manager and authy both secured by fingerprint) stays on me. The computer doesn’t. All that’s needed for that computer to release all my info is for me to walk away from it and either forgetting or not having time to lock it (or Windows bugs preventing screensaver with lockout from kicking in). Since I am already logged in on the computer, it’s pass the MFA stage for the main app.

The malicious coworkers or family members can now login to whatever they want, and have the TOTP right there in the password managers.

This wouldn’t happen if the TOTP was on the phone only.

Why do you bother setting up 2FA if you don’t actually want 2-factor auth?

2 Likes

Tacking onto this, it would be nice if I could right-click on a form to autofill in (or at least copy to clipboard) a TOTP code like I can a username or password since the extension won’t load in Firefox in private mode.

It would also be great if the TOTP code could automatically be used to generate the password in combination with a PIN (PIN+TOPT=Password). My mail provider mailbox.org is using this method to login with 2FA.

1 Like

I would like to add my vote on this. I actually signed up for this feature. Took me a few minutes to realized that the TOTP code is actually copied to your clipboard when you login. Pretty neat!

3 Likes

Yeah I just discovered that by accident while going through the settings. It’s an awesome feature but hard to find. Might be good to make an alert briefly pop up when the TOTP code is copied to the clipboard, to make this more obvious.

4 Likes

Keeper for example has a feature where the TOTP code is automatically filled in and sent.
I would love to have the same in Bitwarden one day.
The initial suggestion with the custom input field would be sufficient to create this behavior ourselves.

There is no real point in not doing this, if someone has your master password or is on your machine they already have the TOTP anyway. For added security, you could ping a secondary device like phone, watch, … before actually revealing or copying 2FA codes in the whole eco-system.

1 Like

I’ve noticed the same thing. When auto-fill is NOT enabled, when you select an item to fill, the TOTP code is automatically placed in the copy buffer, so you only need to paste it in when it appears (although sometimes the code has expired before you have time to paste it). When auto-fill is enabled, the code isn’t put into the buffer, and you have to go back in and manually copy it in… which effectively defeats the purpose of having auto-fill enabled in the first place. Actually, for TOTP usage, it’s faster and more efficient to just turn Auto-fill off.

1 Like

Thanks for the continued feedback, for forum readers, the current flow works like this:

If a login uses the Bitwarden authenticator for TOTPs, using the Cmd/Ctrl + Shift + L will automatically copy your TOTP to your clipboard after auto-filling. All you have to do is Cmd/Ctrl + V to paste!

1 Like

Yes, its OK if you entering to some website (authentication with login+pass+totp)… But, for example, while using clientbank each operation should be verified by TOTP… and there is no hothey to copy current TOTP in clipboard or autofill it

Hey @daromanyuk can you provide more detail on the use case where the TOTP stored with item and being copied to clipboard after autofilling is not working?

@dwbit I think I’m familiar with the use-case that @daromanyuk is describing. Some bank sites (e.g., many banks in Europe) require you to authenticate each individual transaction (e.g., bill payments, money transfers, etc.) using a TOTP code. Thus, after logging in to one’s bank account, it is likely that several additional TOTP codes will be required. Auto-filling is no longer relevant at that point, since the user is already logged in.

Ah, thanks for clarifiying @grb

1 Like