2fa should auto-continue after code is entered
Bug #1948970 reported by
Chris Johnston
This bug affects 1 person
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
Canonical SSO provider |
Triaged
|
Wishlist
|
Unassigned |
Bug Description
Many websites now days don't require clicking a "submit" or "continue" button after entering a 2fa code, and instead just continue automatically. It would be nice is USSO did this as well.
To post a comment you must log in.
Can you provide examples of sites that do this?
It sounds like an antipattern, what if I typoed the access code? How does the site know whether to continue automatically? (we could do it by length but that sounds even insecure, as an attacker doesn't necessarily know the length of the code to enter (it's 6 digits, not a big secret) but if we automatically submit once the content of the field hits 6 digits, we're removing this barrier to brute-force attacks, however small.
Some devices, such as Yubikeys, can be programmed to automatically send an ENTER after entering the code, which has the same effect.