Skip to content

fix: bypass passwordless login when totpSecret is configured#520

Open
awsl1414 wants to merge 1 commit into
TheNetsky:v3from
awsl1414:fix/bypass-passwordless-when-totp-configured
Open

fix: bypass passwordless login when totpSecret is configured#520
awsl1414 wants to merge 1 commit into
TheNetsky:v3from
awsl1414:fix/bypass-passwordless-when-totp-configured

Conversation

@awsl1414

@awsl1414 awsl1414 commented Jun 6, 2026

Copy link
Copy Markdown

Problem

When a user has configured totpSecret in accounts.json for automatic TOTP 2FA, the script ignores it if Microsoft presents the passwordless (Authenticator push notification with number matching) page. The LOGIN_PASSWORDLESS handler only waits passively for manual approval, with no attempt to switch to the TOTP entry method.

This is especially problematic because Microsoft may skip the password entry step entirely for some accounts, going straight from email input to the Authenticator push notification page.

Root Cause

The LOGIN_PASSWORDLESS handler in Login.ts calls PasswordlessLogin.handle() which only:

  1. Reads the displayed number
  2. Prints a log asking the user to manually approve
  3. Waits up to 60 seconds for URL change

Unlike GET_A_CODE and OTP_CODE_ENTRY handlers which actively try to bypass the current page by clicking "Other ways to sign in", the passwordless handler has no such bypass logic.

Fix

When totpSecret is configured, the LOGIN_PASSWORDLESS handler now:

  1. Detects that TOTP secret is available
  2. Clicks the existing "Other ways to sign in" link (reuses otherWaysToSignIn selector)
  3. Returns control to the state machine loop
  4. The state machine naturally detects SIGN_IN_ANOTHER_WAY → clicks "Use your password"
  5. Then PASSWORD_INPUT → enters password
  6. Then 2FA_TOTP → auto-fills TOTP code from the secret

If the bypass fails (e.g., "Other ways to sign in" link not found), it gracefully falls back to the original manual approval flow.

Verified State Flow

LOGIN_PASSWORDLESS → (click "Other ways to sign in") →
SIGN_IN_ANOTHER_WAY → (click "Use my password") →
PASSWORD_INPUT → (enter password) →
2FA_TOTP → (auto-fill TOTP code)

Tested with MCP-connected browser debugging against a live account. Log output:

State transition: EMAIL_INPUT → LOGIN_PASSWORDLESS
TOTP secret configured, attempting to bypass passwordless flow
Found "Other ways to sign in" link
State transition: LOGIN_PASSWORDLESS → SIGN_IN_ANOTHER_WAY
Selecting "Use my password"
State transition: SIGN_IN_ANOTHER_WAY → PASSWORD_INPUT
Entering password

Changes

  • src/browser/auth/Login.ts — Added totpSecret bypass in LOGIN_PASSWORDLESS handler
  • .gitignore — Added .mcp.json and .claude/ (project tooling files)

@awsl1414
fix: bypass passwordless login when totpSecret is configured
8eb1f45 
When a user has configured totpSecret for automatic TOTP code entry,
the script should not wait for manual authenticator approval. Instead,
click 'Other ways to sign in' to navigate to the password entry page,
which will then lead to the TOTP code input where the secret can be
used automatically.

The fix follows the existing bypass pattern used by GET_A_CODE and
OTP_CODE_ENTRY handlers, reusing the same otherWaysToSignIn selector
and ghostClick utility.

State flow after fix:
LOGIN_PASSWORDLESS → SIGN_IN_ANOTHER_WAY → PASSWORD_INPUT → 2FA_TOTP
@awsl1414 awsl1414 force-pushed the fix/bypass-passwordless-when-totp-configured branch from a51710d to 8eb1f45 Compare June 6, 2026 22:49
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@awsl1414