Add autocomplete="off" to 2FA code input form

[Quix0r]

Please consider adding a tiny autocomplete="off" to your 2FA code input form (when you have to enter the code) so it won't get stored in browser's form storage for better privacy.

Firefox 78.12.0esr (64-bit) under Debian Linux 11.

[TPS]

for better privacy.

Rather, for irrelevance — saving the 2FA code is pointless, as it's 1-use only! Also, it grows the browser storage uselessly.

[Quix0r]

Yes, and the code is always the same here strangely. But only for @github - For other sites I always get a new code. I use oathtool.

[Quix0r]

Confusing to me as well. Well, maybe I should make a screenshot of it when I enter the 2FA code.

[emmaviolet]

Just a note to say we're looking into this

[emmaviolet]

Just to follow up - we looked into this, but it looks like we'd lose some convenience for users who have SMS 2FA if we did this, and we'd rather not do that.

We're already using autocomplete="one-time-code".

In iOS and Safari on macOS we can [...] have the browser suggest two factor authentication codes that are sent to the device over SMS. Adding the autocomplete attribute with the value "one-time-code" will trigger this behaviour.

(https://www.twilio.com/blog/html-attributes-two-factor-authentication-autocomplete)

Therefore, we have two options, and it feels like "leave as-is" probably is the best:

1. leave as-is - get fancy SMS autocomplete on mac/iOS, get annoying autocomplete elsewhere
2. switch to autocomplete="off" - don't get fancy SMS autocomplete on mac/iOS, but also don't get annoying autocomplete elsewhere

[emmaviolet]

OS can be detected, but then we'd still need to know whether users have received the code via SMS or not, which I guess we could find, but would involve quite a round trip for a small change.

Complain to Apple that they're doing it wrong & then proceed to hold breath 🤢

Yes, this was our first solution too 😇

[TPS]

OS can be detected, but then we'd still need to know whether users have received the code via SMS or not, which I guess we could find, but would involve quite a round trip for a small change.

Why so much? On 1st page/header request, detect OS/browser, then:

• autocomplete="off" by default
• autocomplete="one-time-code" for any appropriate MacOS/Safari.

Why's SMS detection relevant for this algo?

[emmaviolet]

Why's SMS detection relevant for this algo?

There are multiple 2FA methods, so if you don't use SMS 2FA, presume you wouldn't want autocomplete="one-time-code" either.

[TPS]

There are multiple 2FA methods, so if you don't use SMS 2FA, presume you wouldn't want autocomplete="one-time-code" either.

This seems like a case of perfect getting in the way of good enough for now. If MacOS folks are the issue, let them have it as it is, but solve for everyone else sooner, then iterate when a better solution presents, no?

[emmaviolet]

This seems like a case of perfect getting in the way of good enough for now. If MacOS folks are the issue, let them have it as it is, but solve for everyone else sooner, then iterate when a better solution presents, no?

Yeah, that's fair. To be honest your proposal seemed a little like a case of perfect getting in the way of good enough for now on first glance to me, too. I remain a little concerned that 1) our methods of detecting OS aren't perfectly reliable, and I'd rather not sacrifice convenience for the sake of irrelevance; and 2) that it'll involve js which feels kind of clunky for something like this.

But we're having a look to see whether that's justified ^^

Also, if you want to add your voice to the related firefox bug report... https://bugzilla.mozilla.org/show_bug.cgi?id=1547294

[Quix0r]

Okay, so does this mean one-time-code is some kind of non-standard value? Because Firefox follows W3C (as I know). I'm using 78.12.0esr (64-bit) here.

[TPS]

Per the link above, this behavior looks to be (currently?) an Apple-only addition to the standard.

[Quix0r]

Well, okay. Before we continue bash Apple, let's close this discussing. Maybe your proposed change may work, default: off, MacOS/iOS detected: one-time-code.

[emmaviolet]

Apologies, was off last week, so this slipped a bit. Upshot, though, is that we looked into a js solution and it wasn't as clunky as we feared. Hope to ship soon.

[emmaviolet]

This shipped 4 days ago. Thanks for the pointer @Quix0r and to all of you for your feedback

[TPS]

@Quix0r Close FTW?

[Quix0r]

Thank you, I have enabled it already some time ago.

[TPS]

@Quix0r No, I mean, you've the ability to close this discussion, now that its RFE is implemented.

[TPS]

Obligatory xkcd: