[Avicebron]

I can't speak to the specifics of this particular implementation but usually if someone has the login (username + password) to get to totp that user has already been compromised..

[asimops]

But MFA is there to prevent this compromise from affecting the service and alert users/admins to the compromise, right?

If you have username and password and are able to force the TOTP in the 60s window, the TOTP would be useless imho.

[yonatan8070]

If a user keeps their credentials in a notebook and it got stolen, the TOTP check can be the difference between the attacker getting in, and the user being notified and changing their password

[yardstick]

Unfortunately these days it’s even easier with password managers containing all three (user, pass, token)

[ThePowerOfFuet]

The difference being the notebook is paper and easily read, while the password manager is... quite a bit harder.

[yonatan8070]

I want to believe users who use a password manager are also technically literate enough to secure it properly

[Avicebron]

Me too, but my day job means I handle a bit of secops, password managers are rolled out as security tools to users operating in enterprises where things like mandating people don't keep their passwords on a sticky note on their monitor is usually step one...

[Nullence]

Oh wag doesnt use username and password auth by default. Those are only available in the OIDC integration or if you use PAM auth.