When I was using CORE, I appreciated the login screen incorporating three fields: login, password, and 2FA, if fitted. In Scale 24.04.2 (aka Dragonfish), the 2FA is broken out into a second window after the the login / password is verified first.
Why the difference and why 2 windows when 1 will do? I presume that the SCALE solution allows the admin to isolate whether the login/password combination works separately from the 2FA passcode, but I liked the convenience of the single CORE window even better. With a password manager (and let’s face it, if you’re into 2FA, you will most likely have such a manager) the issue of mis-entering the password / 2FA code goes away.
In other words, I really would like the SCALE login to mimic the older CORE one.
It’s become somewhat-common practice to separate them into three distinct windows, one for the username, one for the password, and a third for the 2FA code. I don’t understand what purpose that’s supposed to serve, but I wish it’d stop.
It’s simply a lot quicker if the password manager can fill out all fields in one go vs. having to use the password manager button three separate times, once for each field.
To me, implementing multiple windows when one will do is an example of the UI getting in the way vs. getting something done quicker.
It refers to the validity window for 2fa passwords. Defaults to 0 so only the current password is valid, but can be set to allow one or more previous passwords to be valid.
I’d argue that putting all three on one page would enhance security since the attacker would not be able to identify whether they got the password and user name correct before the 2Fa combination is assessed.
On the other hand, it also makes it more difficult to figure out if it’s the password or the 2FA that’s at fault if something goes wrong. 2FA is picky re: the clocks of the user cpu and that of the NAS, which is why I run several NTP200’s at home.
Still, on balance, the old core login window approach of having all three fields in one window is quicker and I don’t see a compelling reason why SCALE should be different, other than aping Google, which isn’t a good enough reason in itself.
I noticed this too. Once Google / Gmail started doing it, I noticed more services soon started to follow this method.
The justification was never clear.
What’s especially disturbing (which doesn’t apply to “local” services, like TrueNAS), is that this “separate pages” method will not only confirm that the username is correct, but in Google’s case, it will also reveal the “Name” associated with the username, without even attempting to login or enter any password.
Perhaps, but then the options should be tailored to what could be possible. Will the system ever not require both a username and password? If that will never be the case, then ask for both on the one login page. If it’s possible that some users might require 2FA and others not, putting 2FA on a separate screen would make sense.
Hmmm I don’t really buy that argument. It’s easy enough to have all three fields in one window when 2FA is enabled and only 2 when it’s not. See CORE vs. SCALE.
