On Mon, 2015-05-18 at 14:16 -0700, Kevin Cernekee wrote: > > Yes, and that's what you'll see in the message field. Maybe I could hash > > that thing, and give a form 'name' that depends on that, but that would > > be harder to interpret when the reply is sent. > OpenConnect on Android already computes a hash that includes each form > label, so it can remember different passwords for account password vs. > OTP. It won't send the user's "Password:" password in response to a > "One-time password (OATH) for `username':" prompt. Is that for the input type's label or the message field in config-auth section?
