davift opened a new issue, #13337: URL: https://github.com/apache/cloudstack/issues/13337
### The required feature described as a wish <img width="473" height="612" alt="Image" src="https://github.com/user-attachments/assets/b624e9d2-08f0-4593-8446-3214e93d68a6"; /> **Description:** The 2FA input is defined as type="password". Password managers treat it like a regular password field, so they may save or autofill the 2FA code. This can overwrite the stored password and lock the user out of their account. The field was likely set this way to hide the Static PIN from bystanders or during screen sharing. **Affected Components:** Management UI **Impact:** Password managers may replace saved passwords with 2FA codes. This can lock users out and lead them to choose weaker passwords or store them insecurely. **Steps to Reproduce:** - Log in to the CloudStack Management UI with a user that has 2FA enabled. - Enter valid credentials and continue to the 2FA screen. - Inspect the 2FA input field in the browser’s developer tools. - Confirm it is set to type="password". **Recommended Remediation:** Change the 2FA input field to type="number" and add autocomplete="one-time-code". This informs password managers of the field's actual meaning. Also, consider combining the password and 2FA into a single form. This way, attackers can’t tell which part failed, making password attacks harder. -- This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. To unsubscribe, e-mail: [email protected] For queries about this service, please contact Infrastructure at: [email protected]
