iPadOS to autofill 2fa codes
Open, Needs TriagePublicFeature
Actions

Assigned To

None

Authored By

	MacFan4000
	Aug 17 2021, 9:33 PM

Description

the upcoming versions of iPadOS/iOS and macOS include a builtin 2fa client. Using the beta software I've tested the functionality, and have found that when Phabricator or Matomo request a 2fa code, safari automatically suggests autofilling a 2fa code. With OATHAuth however, this does not happen. Comparing how the input fields are defined, the only consistent difference I can find is that autofocus is set differently.

// mediawiki
<input id="wpOATHToken" name="OATHToken" size="20" dir="ltr" spellcheck="false" tabindex="1" required="" autofocus="" autocomplete="off" class="mw-ui-input webfonts-changed">

// phabricator
<input type="text" pattern="\d*" name="authfactor.2.mfa.response" autocomplete="off" id="UQ0_0" autofocus="autofocus">

In mediawiki autofocus is set to an empty string, and in phabricator/matomo it's set to "autofocus".

Details

Subject	Repo	Branch	Lines +/-
set autocomplete=‘one-time-code’ on forms	mediawiki/extensions/OATHAuth	REL1_36	+3 -3
set autocomplete=‘one-time-code’ on forms	mediawiki/extensions/OATHAuth	REL1_35	+3 -3
set autocomplete=‘one-time-code’ on forms	mediawiki/extensions/OATHAuth	master	+3 -3

Customize query in gerrit

Related Objects

Mentioned In: T356004: Help password managers to detect TOTP login input
T151738: OATH code field should show numeric keyboard on mobile devices
T313058: Turn off autocomplete on TOTP box
T141735: AuthManager shouldn't allow the browser to show suggestions for input fields (autocomplete)
T290369: Autocomplete for username and passwords in Login and Signup forms
Mentioned Here: T141735: AuthManager shouldn't allow the browser to show suggestions for input fields (autocomplete)
T226049: When enabling 2FA, autocomplete is enabled when verifying 2FA

Event Timeline

MacFan4000 created this task.Aug 17 2021, 9:33 PM

Restricted Application added a project: User-MacFan4000. · View Herald TranscriptAug 17 2021, 9:33 PM

Restricted Application added a subscriber: Aklapper. · View Herald Transcript

For future reference, please use the feature request form (linked from the top of the task creation page) for creating feature requests. Thanks.

I’ve done some testing and the solution that I’ve found so far is to set autocomplete to “one-time-code”. It was set to off per T226049 and T141735, but at least in safari the problem mentioned in those tasks doesn’t happen when setting it to “one-time-code”.

Change 714148 had a related patch set uploaded (by MacFan4000; author: MacFan4000):

[mediawiki/extensions/OATHAuth@master] set autocomplete=\u2018one-time-code\u2019 on forms

https://gerrit.wikimedia.org/r/714148

gerritbot added a project: Patch-For-Review.Aug 21 2021, 8:25 PM

Just noting the task description talks about autofocus, but then you're changing autocomplete...

https://www.twilio.com/blog/html-attributes-two-factor-authentication-autocomplete

https://developer.mozilla.org/en-US/docs/Web/HTML/Attributes/autocomplete

"one-time-code"
    A one-time code used for verifying user identity.

https://developer.apple.com/documentation/security/password_autofill/enabling_password_autofill_on_an_html_input_element

Looks like we need to do some other changes...

Reedy mentioned this in T290369: Autocomplete for username and passwords in Login and Signup forms.Sep 3 2021, 11:33 PM

Change 717455 had a related patch set uploaded (by Reedy; author: MacFan4000):

[mediawiki/extensions/OATHAuth@REL1_36] set autocomplete=\u2018one-time-code\u2019 on forms

https://gerrit.wikimedia.org/r/717455

Change 717456 had a related patch set uploaded (by Reedy; author: MacFan4000):

[mediawiki/extensions/OATHAuth@REL1_35] set autocomplete=\u2018one-time-code\u2019 on forms

https://gerrit.wikimedia.org/r/717456

Change 714148 merged by jenkins-bot:

[mediawiki/extensions/OATHAuth@master] set autocomplete=\u2018one-time-code\u2019 on forms

https://gerrit.wikimedia.org/r/714148

ReleaseTaggerBot added a project: MW-1.37-notes (1.37.0-wmf.23; 2021-09-13).Sep 4 2021, 12:00 AM

Jdforrester-WMF subscribed.Sep 4 2021, 1:16 AM

Change 717456 merged by jenkins-bot:

[mediawiki/extensions/OATHAuth@REL1_35] set autocomplete=\u2018one-time-code\u2019 on forms

https://gerrit.wikimedia.org/r/717456

Change 717455 merged by jenkins-bot:

[mediawiki/extensions/OATHAuth@REL1_36] set autocomplete=\u2018one-time-code\u2019 on forms

https://gerrit.wikimedia.org/r/717455

Maintenance_bot removed a project: Patch-For-Review.Sep 5 2021, 2:10 AM

MacFan4000 closed this task as Resolved.Sep 5 2021, 6:35 PM

MacFan4000 claimed this task.

This may seem like a cool feature for iOS, but it has a significant undesirable side effect for all other OSs. There was good reason for setting "autocomplete" to "off" in T141735. I doubt that most 2FA logins happen via iOS devices, therefore I suggest we revert this change in favor of the larger user group.

In T289086#7299358, @MacFan4000 wrote:

I’ve done some testing and the solution that I’ve found so far is to set autocomplete to “one-time-code”. It was set to off per T226049 and T141735, but at least in safari the problem mentioned in those tasks doesn’t happen when setting it to “one-time-code”.

Well, it does occur in Firefox and Chrome.

Spec: HTML5 (doesn't say how exactly it should be handled though)
Firefix bug report: https://bugzilla.mozilla.org/show_bug.cgi?id=1547294
No bug reports for other browsers, although https://bugs.chromium.org/p/chromium/issues/detail?id=1026373 is related.