Skip to content

Add id="totp" to TOTP input field for password manager auto-detection#321

Open
CGHoussem wants to merge 1 commit into
owncloud:masterfrom
CGHoussem:master
Open

Add id="totp" to TOTP input field for password manager auto-detection#321
CGHoussem wants to merge 1 commit into
owncloud:masterfrom
CGHoussem:master

Conversation

@CGHoussem

Copy link
Copy Markdown

This change adds an id="totp" attribute to the TOTP input field on the login page.

This helps password managers (such as Bitwarden, 1Password, and others) automatically detect and eventually fill the TOTP code field when using saved logins that include a 2FA token.

Why

Without a clear identifier, most password managers fail to recognize the TOTP input automatically, forcing users to manually copy/paste the 2FA code.
This small change improves usability and accessibility for users who rely on password managers.

Testing

  • Verified that the TOTP field still works correctly for manual input.
  • Confirmed that Bitwarden now correctly auto-fills the TOTP field when a matching entry is present.

@CLAassistant

CLAassistant commented Nov 9, 2025

Copy link
Copy Markdown

CLA assistant check
All committers have signed the CLA.

@sonarqubecloud

sonarqubecloud Bot commented Nov 9, 2025

Copy link
Copy Markdown

@DeepDiver1975

Copy link
Copy Markdown
Member

autofill=one-time-code

This should be the way to go from my understanding.

https://developer.mozilla.org/en-US/docs/Web/HTML/Reference/Attributes/autocomplete

@CGHoussem

CGHoussem commented Nov 11, 2025

Copy link
Copy Markdown
Author

autofill=one-time-code

This should be the way to go from my understanding.

https://developer.mozilla.org/en-US/docs/Web/HTML/Reference/Attributes/autocomplete

I have first tested to set the autocomplete field to "one-time-code", but that alone didn't work for the password manager Bitwarden (haven't tested other password managers).

What worked for me either adding the field id and setting it to "totp" or changing the name field from "challenge" to "totp" (at least that's how Bitwarden figures out the one time code field).

I suggest updating the value of the name field to "totp-challenge" (which also works). This change resolves the issue with Bitwarden (and possibly other password managers) and, as a bonus, aligns the name field’s value with the one used for similar inputs in the settings page:

+ ' <input type="text" id="totp-challenge" required="required" type="tel" minlength="6" maxlength="6" autocomplete="off" placeholder="' + t('twofactor_totp', 'Authentication code') + '">'

If you are okay with the idea, I'll update the PR

@dj4oC dj4oC left a comment

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Adds id="totp" to the TOTP challenge input so password managers can target the field for autofill.

Findings

  • Security: no findings — purely a DOM id attribute on an existing form field, no new data exposure or behavior change.
  • Stability: no findings — single-line, non-breaking template change.
  • Performance: no findings.
  • Test coverage: n/a for a static template attribute; no existing test asserts on this markup.
  • WCAG 2.2: no regression — an id addition doesn't change the accessible name; note there's no associated <label for="totp"> in this template, so if a future pass wants to improve accessibility further, wiring a label to this id would be the next step, but that's out of scope for this PR.

Verdict

Approved — low-risk, useful UX fix.

🤖 Automated review by Claude Code (security · stability · performance · coverage)


Generated by Claude Code

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

4 participants