OTP entry best practices
For protocols that give you a choice of methods, we recommend training users to enter the OTP in the username field instead of the password field. We arrived at this recommendation empirically after years of customer feedback.
Benefits of OTP in username field
- For OATH OTPs, you can see the digits you have entered, so you can tell if they are correct. This avoids typos.
- For YubiKey OTPs, you see the characters being entered instead of seeing masked "password" characters, and the TAB character at the end tabs you to the next field very visibly so the user knows when it's time to enter the password. This avoids timing mistakes of hitting enter or clicking the logon button too soon when the key is still typing.
Disadvantages of OTP in password field
- Training users to use this method can lead to confusion if they have to use any protocols or services (for example RDP) that cannot accept the OTP in the password field.
- For OATH OTPs, you can't see what you've typed, so typos are more common.
- For YubiKey OTPs, it's more difficult to tell when the token has finished typing characters. As soon as the field fills up with "password" dot characters, it stops giving any visual indication of changing, giving the user the impression that it's "done" when in fact more characters are being entered. If the user hits Enter or clicks the logon button at this time, they are racing with the YubiKey as it enters its OTP. This will result in logon failures that appear sporadic. The logs will not see the OTP as such, they'll just interpret what was entered as "bad password".