[Rygian]

I would consider that as a bug, not as a feature. If the login panel behaves differently on a correct password than on a wrong password, that's an information leak that must be fixed.

Authentication must be evaluated and rejected only when all factors are already provided, and the rejection error should not disclose which of the factors failed.

So, with a proper login panel, my 2FA being asked does not mean that someone has my password.

Edit: this is, for example, the recommendation from PCI to separate "Multi-Step Authentication" from true "Multi-Factor Authentication": https://www.pcisecuritystandards.org/pdfs/Multi-Factor-Authe...

[medevacs]

I'm under the impression you misread the original blog post, which by the way does not really do a very good job in terms of explaining how this should be implemented.

IMHO, the idea is not to display the info about wrong 2FA code on the login page but to use a separate channel to inform the account owner about this recent, failed login attempt. So, no info on the login page of the website (adversary would still not know that they have a good password but wrong 2FA) but e.g. an email, a text message, a push notification, etc. with this info. I would certainly like to know that someone, somewhere is trying to login to my account and that this adversary is in possession of my actual password.

[xwx]

If I've understood the linked post, the login panel doesn't have to behave or look different if someone gets the username and password right. You could still show everyone the 2FA input.

It's suggesting that if the username and password are right but 2FA isn't the system should let the account owner know.

[Rygian]

I have read the linked post too quickly before sending my initial comment. Indeed, a back-channel notification to the legitimate account owner is probably a good idea.

On the other hand, disclosing to the attacker that they got the password right is not acceptable.

[runlevel1]

Correct. The blog suggests letting them know out-of-band, like via email, not in the login flow.

[jstanley]

Unless you're an especially high-value target, I'd rather you gave quicker feedback about whether or not I have remembered my password correctly than you make it impossible to determine whether or not a password is correct without also having to input the 2FA token.

[DangitBobby]

I don't know of anyone who does 2FA this way.

[Rygian]

My employer does it for products requiring PCI certification. Our PCI auditor recommends it even though it's not a formal requirement of PCI v3.

[darkarmani]

That sounds like a terrible trade-off that makes people more likely to write down passwords on post-it notes or in a clear-text file to cut-n-paste. Especially if you lock accounts after a 10 tries or so (or PCI's ridiculous low number of tries).

[rexfuzzle]

This was posted above: https://www.isnic.is/en/site/login First time I've seen it too

[Semaphor]

You make a good point, but does anyone do that? I’ve been using a PW manager so long, I don’t really enter incorrect passwords.

[anamexis]

I think the majority of places I use 2FA, the 2FA prompt is on a screen after the password login. This is because the use of 2FA is an account option, so not all accounts will have it active.