Consider using an appropriate HTML field type for 2FA/TOTP

[dsalazarCazanhas]

🏷️ Discussion Type

Product Feedback

💬 Feature/Topic Area

Other

Body

At some point, I noticed that the GitHub 2FA input field is implemented as a generic text field. THIS IS NOT A FUNCTIONAL PROBLEM by itself, but it may reduce compatibility with some password managers that support TOTP autofill based on the HTML field type or related form semantics.

Since GitHub has been expanding and enforcing 2FA adoption, improving this part of the login experience could make authentication more convenient for many users who rely on password managers with built-in TOTP support. In practice, this may be a relatively small frontend adjustment, but it could have a meaningful impact on usability and accessibility.

[github-actions[bot]]

💬 Your Product Feedback Has Been Submitted 🎉

Thank you for taking the time to share your insights with us! Your feedback is invaluable as we build a better GitHub experience for all our users.

Here's what you can expect moving forward ⏩

• Your input will be carefully reviewed and cataloged by members of our product teams. 
  • Due to the high volume of submissions, we may not always be able to provide individual responses.
  • Rest assured, your feedback will help chart our course for product improvements.
• Other users may engage with your post, sharing their own perspectives or experiences. 
• GitHub staff may reach out for further clarification or insight. 
  • We may 'Answer' your discussion if there is a current solution, workaround, or roadmap/changelog post related to the feedback.

Where to look to see what's shipping 👀

• Read the Changelog for real-time updates on the latest GitHub features, enhancements, and calls for feedback.
• Explore our Product Roadmap, which details upcoming major releases and initiatives.

What you can do in the meantime 💻

• Upvote and comment on other user feedback Discussions that resonate with you.
• Add more information at any point! Useful details include: use cases, relevant labels, desired outcomes, and any accompanying screenshots.

As a member of the GitHub community, your participation is essential. While we can't promise that every suggestion will be implemented, we want to emphasize that your feedback is instrumental in guiding our decisions and priorities.

Thank you once again for your contribution to making GitHub even better! We're grateful for your ongoing support and collaboration in shaping the future of our platform. ⭐

[asaddevx]

Hi @dsalazarCazanhas — this is a thoughtful observation!

Quick Fact Check

Interestingly, GitHub already uses autocomplete="one-time-code" on their 2FA input field [citation:6]. A GitHub staff member confirmed this in a 2021 discussion [citation:6].

So the semantic hint is already there!

Why Some Password Managers Still Struggle

The issue you're experiencing may be specific to certain password managers:

1. Proton Pass (which you mentioned in the Stack Overflow discussion [citation:1]) — they acknowledged TOTP autofill is still evolving
2. Bitwarden — generally works well with autocomplete="one-time-code"
3. 1Password — supports TOTP autofill but requires the field to be properly identified

Additional Improvements You Could Suggest

Beyond autocomplete, GitHub could add:

Attribute	Purpose
inputmode="numeric"	Shows numeric keyboard on mobile [citation:4]
pattern="[0-9]*"	Triggers numeric keyboard on iOS specifically [citation:4]

These would improve mobile usability without breaking existing password manager compatibility.

Bottom Line

Your feedback is valid, but GitHub has already implemented the core semantic attribute (autocomplete="one-time-code"). The remaining issues may be on the password manager side. Consider filing a bug report with your specific password manager!

Great suggestion regardless — every bit of usability improvement helps as GitHub enforces 2FA more broadly.

[dsalazarCazanhas]

Thanks for your awesome answer. I checked the autocomplete="one-time-code" function that you mentioned. I am indeed using Proton Pass in Brave, and I can see that the one-time code is working fine. Thanks for pointing that out and for taking the time to explain it.