2

I recently encountered software that requires me to put my password followed by a TOTP token into a single entry field. (Similar as to what is depicted in this question).

While it can be debated whether this is a bad design choice (e.g. a separate entry field for the OTP would be self-explanatory) my actual question is:

Is password-append-OTP bad practice from a security point of view?

Martin
  • 121
  • 2
  • 3
    From the answers to the linked question, all that happens is that the OTP is stripped of the end of the string and the password and OTP strings are parsed separately, just as one would if there were different fields. Where are you seeing a security impact? – schroeder Mar 31 '22 at 11:30

1 Answers1

3

If the application just strips off the last six digits (or whatever) of the entered value and then processes the two separately, then it's not really much different to having the user enter them in two different fields.

However, it will prevent the user from saving the "password" in their browser (as it will be different each time), and might also make it harder for them to login using the auto-type or auto-fill feature that most password managers implement.

Whether you consider those to be security benefits or security issues (or neither) will depend on the specifics of the application, and the environment that it's used in.

It does also make the authentication code more complicated if OTPs are not enforced for all users, because the application will either have to have check if an OTP is expected for that user before parsing the string, or will have to try the authentication attempt twice (once with an OTP and once without). And adding complexity to authentication code increases the likelihood that you introduce bugs into it.

Gh0stFish
  • 6,800
  • 1
  • 23
  • 23
  • Autofill provides some level of protection against phishing (because it will not autofill on the wrong site), so I would argue that this is a security issue, albeit a rather niche one. – Kevin Apr 01 '22 at 17:43