Auto-fill TOTP code

app:browser

#1

I’m attempting a migration from KeePassXC + KeePassHttp-Connector which, with a little bit of setup, I had auto-filling of TOTP codes working. It was incredibly convenient to have my username and password filled, hit next, and then have my TOTP code filled, then hit submit and be logged in.

Right now, the best experience with Bitwarden in Firefox is to manually click the extension icon, then click the entry to fill it (which copies the TOTP code to the clipboard), then hit next, then paste the TOTP code in, and then hit submit. Unfortunately, copying the TOTP code to the clipboard does not work with auto-fill on page load, leaving us with this required manual sequence.

The best convenience would be for the extension to not only auto-fill the username and password, but also auto-fill the TOTP code too.

We’d probably need a way to allow the user to modify an entry’s form-fill matching, so they could save to the entry which field is the TOTP field for each site.

Since we have a matching algorithm for auto-filling custom fields, my back-of-the-napkin suggestion would be to provide a special value such as {TOTP} (used by the KeePassXC+Connector) or a new custom field TOTP type, and then fill in the current TOTP code if the custom field matched using the existing algorithm.

Prior GitHub issue.


#2

In addition to this, I’d like to suggest Authy’s OneTouch Login feature. But as the dev replied, Authy has been charging fees to use this feature. (Just as told here. Please check the comments.)

So I guess the only option we have that is “more convenient” to instant login is with Duo’s push notification on mobile as a premium feature.

That’s a nice feature to have, in my opinion, but I guess it wouldn’t be available so soon.

EDIT: This might be a duplicate. More discussion about TOTPs here:


#3

It’s not a duplicate of that request (though it is similar), as it describes a button to quick-copy the TOTP code. I want this too; but I additionally want to be able to auto-fill it when auto-fill is enabled.


#4

The best convenience would be for the extension to not only auto-fill the username and password, but also auto-fill the TOTP code too.

What is the added value of 2FA/TOTP when the username, password and also the TOTP secret are stored in 1 place?


#5

The added value is that if the password itself is compromised, say by a bad machine or over the network, the account is still not compromised.

You’re correct that 2FA would not protect your accounts if your seeds are stored in Bitwarden and your vault is compromised, but this is (hopefully) the least likely scenario.

It’s much more likely that a rogue browser extension or third-party website script or MITM attack compromises the credentials of the website itself. Since the 2FA seed would therefore not have been compromised, just the one-time code, your account is still secure.


#6

At a workplace, or even at home, a compromised master password is the most likely scenario. People stand over your shoulder all the time, sometimes without you even knowing.

They can gain your master password and therefore all the individual passwords. But with a true 2-Factor (as opposed to 2-Step) Authentication, they wouldn’t be able to access the services without your phone (which you hopefully don’t leave lying on the desk, or at least it’s locked).

Also keyloggers.


#7

Then lock your Bitwarden account with 2FA that use a different app like Authy.

The whole debate on whether or not you should keep 2FA codes in your password manager is crazy to me. Sure, it’s not truly second factor but most people who use 2FA also use the app on the same phone that has their password manager on it anyways.


#8

The phone (with password manager and authy both secured by fingerprint) stays on me. The computer doesn’t. All that’s needed for that computer to release all my info is for me to walk away from it and either forgetting or not having time to lock it (or Windows bugs preventing screensaver with lockout from kicking in). Since I am already logged in on the computer, it’s pass the MFA stage for the main app.

The malicious coworkers or family members can now login to whatever they want, and have the TOTP right there in the password managers.

This wouldn’t happen if the TOTP was on the phone only.

Why do you bother setting up 2FA if you don’t actually want 2-factor auth?


#9

Tacking onto this, it would be nice if I could right-click on a form to autofill in (or at least copy to clipboard) a TOTP code like I can a username or password since the extension won’t load in Firefox in private mode.


#10

It would also be great if the TOTP code could automatically be used to generate the password in combination with a PIN (PIN+TOPT=Password). My mail provider mailbox.org is using this method to login with 2FA.