Show TOTP directly below password field

[papst01]

It should be prevented, that an attacker could get knowledge of the correct password. Till now, the login process works (as far as I understand it) this way:

• type in user name
• switch to the password field and type it in,
• press Enter [password will be checked] and if correct
• the TOTP-field is shown.
• type in the TOTP
• press ENTER and if correct, the login worked

For me this is a security flaw. It is not necessary to inform the attacker, that he know's the correct password.

The only right way - in my eyes - should be: If the admin has added the TOTP app (and at least one user has it activated,) show the TOTP field below the password field on the login screen from the start. Password and TOTP are checked.

[ChristophWurst]

This is a duplicate (can't find the original ticket right now, sorry).

For me this is a security flaw. It is not necessary to inform the attacker, that he know's the correct password.

We already have bruteforce protection in place that should prevent attackers trying to guess the 2fa secret: nextcloud/server#4434.

Moreover I've not yet seen any platform that would handle logins this way.