Keepassxc-browser: Logging into 2 Page Logins
Overview
Unfortunately, I'm unable to log into websites that use 2 web pages for the login process. The 1st page is for the username. The 2nd page is for the password. I'm assuming they deliberately use this process for security reasons as it does prevent KeePassXC from correctly identifying fields and placing the login or password icon at the right side of the entry field. Many websites have started to use this process like Amazon, Gmail, Google, etc.
Steps to Reproduce
- Go to Amazon and press the login button.
- If you use the browser extension to Choose Custom Login Fields, it _will_ correctly identify the field for the username.
- After entering the login, the website takes you to the next web page which is the step in which you enter the password. Now, if you use the browser extension to Choose Custom Login Field, it cannot identify the field for password. Let me take that back. It can correctly identify the field _except_ it will remove the identification of the username field. So, the next time you try to log in, the username field won't be correctly identified anymore. Essentially, KeePassXC can only correctly identify 1 of the 2 fields. If you make KeePassXC identify the username field, it can't identify the password field. If you make KeePassXC identify the password field, it can't identify the username field.
Expected Behavior
Correct identification of both the username and password fields with the placement of the KeePassXC icon at the far right side of the field.
Actual Behavior
Only 1 of the 2 fields can be correctly identified by KeePassXC. Currently, I have the KeePassXC icon placed in the password field since it's harder to memorize and type in.
Context
I'm assuming that websites have instituted this login process to thwart hackers as the domain name is the same for two web pages. I'm assuming that this confuses a hacker's program. But, it also confuses KeePassXC apparently.
KeePassXC - Version 2.6.2
Revision: e9b9582
Qt 5.15.1
Debugging mode is disabled.
Operating system: Windows 10 Version 2004
CPU architecture: x86_64
Kernel: winnt 10.0.19041
Enabled extensions:
- Auto-Type
- Browser Integration
- SSH Agent
- KeeShare (signed and unsigned sharing)
- YubiKey
Cryptographic libraries:
libgcrypt 1.8.6
Operating System: Windows 10
Desktop Env: Windows Finder, Directory Opus
CerebralFreeze
All 12 comments
What's the extension version you are using? With 1.7.2 Amazon etc. should be regognized automatically without the need of using Custom Login Fields or Site Preferences.
varjolintu
on 3 Nov 2020
Hey Varjolintu, (By the way, is Varjo your first name?)
Please tell me how you do it! Pretty please. I'm using extension version is 1.7.2. I can't log into Amazon and Gmail right away which is extremely annoying when I use certain websites. Every time when I need to purchase from Amazon (which I do a few times every day for my small business), I have to type in my username. (Amazon always logs you out automatically.) With Gmail, I have to type in my username and then select the password from a very long list every morning. (I have maybe like 30 Gmail accounts.) I use 4 different Gmail accounts every day so it's annoying to open each one separately. I converted my email program from Outlook to Gmail web but now I'm thinking of spending a 1000000 hours to convert all my email back to Outlook because it's getting annoying.
Please tell me how you did it! What settings do you use? The following are the checked options in settings in my browser extension:
General
USER INTERFACE
Activate username field icons
Activate password generator icons
Show notifications
FILLING CREDENTIALS
Automatically retrieve credentials
Activate autocomplete for username fields
Auto-submit login forms
Automatically fill in single-credential entries
SAVE CREDENTIALS
Show a banner on the page when new credentials can be saved to the database.
Always ask where to save new credentials
Save domain only
Number of allowed redirects: 5
ADVANCED SETTINGS
Use dynamic input field detection
Save domain only
Use predefined sites for compatibility
Should I uncheck any of the above options?
CerebralFreeze
on 3 Nov 2020
I don't use anything extra for Amazon. It just works. Same with GMail. I don't use Auto-submit.
varjolintu
on 4 Nov 2020
I think I tried every combination of settings. I can't get it to work. The URL for the login page and the password page are the same. Can KeePassXC recognize that the webpage has changed even though the URL hasn't?
I don't use anything extra for Amazon. It just works. Same with GMail. I don't use Auto-submit.
CerebralFreeze
on 6 Nov 2020
It can, and Amazon with GMail is the most tested ones.
varjolintu
on 7 Nov 2020
Hi,
I have an issue when enabling the Amazon two-factor authentication using an external app. Either the password page or the TOTP page work, but not both.
Natively, the password page is OK, but the TOTP is not proposed, and if I chose custom identification fields to setup the TOTP, then the password page is not auto-filled anymore.
I believe the solution would be to be able to select custom fields by page and not by site. Also, being able to edit the page URL to be more discriminating (use a path after the site name filter) would also be great.
Hope it helps,
AriesFR
AriesFR
on 10 Dec 2020
@AriesFR Can you still fill the TOTP using context menu or a keyboard shortcut?
varjolintu
on 10 Dec 2020
Thanks @varjolintu. Yes, I can use the menu or the shortcut, but it would be much easier to just click on the usual ellipsis icon in the box... if it existed. Sorry, I know I'm lazy ;)
What I saw when I digged a little to find out wher my issue was, is that those two pages obviously use different URLs (https://www.amazon.fr/ap/signin?... and https://www.amazon.fr/ap/mfa?...) and that simple filter would do the trick.
Cheers,
AriesFR
AriesFR
on 10 Dec 2020
@AriesFR This definitely needs some special handling. I see what I can do about it.
EDIT: Actually the problem lies with Amazon's 2FA field, as it defines the maxLength as 20. We ignore 2FA fields with longer than 10. So the special handling will need to be made only for the 2FA field check.
varjolintu
on 12 Dec 2020
@AriesFR #1142 will probably help you :) Just wait for the next version.
varjolintu
on 12 Dec 2020
Thanks @varjolintu, that looks excellent!
AriesFR
on 12 Dec 2020
I am seeing the same thing on the 2FA field on www.drupal.org which has a maxLength of 128. I have the newest version of the beepassxc-browser plugin 1.7.4 and still the 2FA field is not recognized. I do not have custom fields or site preferences assigned for this website.
The login URL is: https://www.drupal.org/user/login
While the 2FA URL is something like : https://www.drupal.org/system/tfa/######/XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
I have the login URL above in KeepassXC and two additional URLS in Browser Integration: https://www.drupal.org/ and https://www.drupal.org/system/tfa.
I am not sure if it is best to only add the domain name in the Additional URLs or the exact page URL. In the case of the www.drupal.org 2FA page the URL is different each time. The last part of the string the Xs changes. They also have a query string defined after the URL to send the user back to the page they came from that looks like this: ?destination=node/2958929. I get the thought that these query strings are not being handle properly by the extension. I think that as they can be different each time they should be ignored when trying to match a page for the login or 2FA page. So it ends up looking like
https://www.drupal.org/system/tfa/######/XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX?destination=node/2958929
frederickjh
on 31 Dec 2020
Related issues
sliwowitz
路
5Comments
christophetd
路
4Comments
brwolfgang
路
4Comments
muchqs
路
4Comments
metaxis
路
3Comments
Most helpful comment
@AriesFR This definitely needs some special handling. I see what I can do about it.
EDIT: Actually the problem lies with Amazon's 2FA field, as it defines the
maxLengthas 20. We ignore 2FA fields with longer than 10. So the special handling will need to be made only for the 2FA field check.