I restarted my browser which deleted all my cookies (thank you Cookie AutoDelete!) and when I logged back in to the Fedora Discussion site, I mistakenly typed my password into the “One Time Password” field rather than the “Password” field.
I only realized what I’d done when hitting ‘enter’ and, imagine my surprise when I was logged in to my account!
I logged out, deleted cookies (since if you don’t, you won’t be prompted for credentials when clicking the “Login” button) and tried again. Same result, I was logged in by putting my password in the “One Time Password” entry box.
Is this the expected behavior? I’d assumed that OTP meant using something like a Yubikey or similar. I’m guessing that it is or this would have been addressed already, but perhaps not.
If that’s the appropriate behavior, I was unaware and apologize for wasting your time.
If accepting normal passwords in the “One Time Password” field is not expected behavior, who should I contact to get them to take a look?
Yeah, this is an expected quirk due to the way the backend of the account system works. I’m not sure it’s worth ‘fixing’.
Basically those two fields are merged and sent to the backend. ie, if you enter just ‘password’ it just sends that. If you enter ‘password’ and ‘otp’ it sends ‘passwordotp’ to the backend. So you can enter all of it in either field.
I guess the one bad part here is that the otp field doesn’t hide your typing, so if you enter password in there it could be subject to shoulder surfing attacks or something. I guess that might be worth a RFE to hide contents in the otp field also ( GitHub · Where software is built )
Yeah, this is an expected quirk due to the way the backend of the account system works. I’m not sure it’s worth ‘fixing’.
Thanks for the clarification. It’s not a huge deal, I was just taken aback by the unexpected result.
I guess the one bad part here is that the otp field doesn’t hide your typing, so if you enter password in there it could be subject to shoulder surfing attacks or something. I guess that might be worth a RFE to hide contents in the otp field also
That’s not really a big concern for me, but it’s likely a good idea. FYI: