Turn off autocomplete on TOTP box
Closed, DeclinedPublic
Actions

Assigned To

None

Authored By

	Reedy
	Jul 14 2022, 4:20 PM

Description

Screenshot 2022-07-14 at 17.19.45.png (540×692 px, 66 KB)

This isn't helpful.

Related Objects

Mentioned In: T356004: Help password managers to detect TOTP login input
Mentioned Here: T226049: When enabling 2FA, autocomplete is enabled when verifying 2FA
T289086: Allow iOS/macOS/iPadOS to autofill 2fa codes

Event Timeline

Reedy created this task.Jul 14 2022, 4:20 PM

Restricted Application added a subscriber: Aklapper. · View Herald TranscriptJul 14 2022, 4:20 PM

Reedy triaged this task as Low priority.Jul 14 2022, 4:21 PM

Reedy updated the task description. (Show Details)

The HTML says we're using autocomplete="one-time-code" which seems to be an experimental feature (caniuse) intended for mobile-phones to prefill from SMS (source).
+1, we should change to autocomplete="off". (specs)
I'd guess in these 3 locations: https://codesearch.wmcloud.org/extensions/?q=one-time-code&i=nope&files=&excludeFiles=&repos=

xref T289086: Allow iOS/macOS/iPadOS to autofill 2fa codes

And T226049: When enabling 2FA, autocomplete is enabled when verifying 2FA

In T313058#8277955, @Quiddity wrote:

The HTML says we're using autocomplete="one-time-code" which seems to be an experimental feature (caniuse) intended for mobile-phones to prefill from SMS (source).
+1, we should change to autocomplete="off". (specs)
I'd guess in these 3 locations: https://codesearch.wmcloud.org/extensions/?q=one-time-code&i=nope&files=&excludeFiles=&repos=

It doesn't seem that experimental - its in the html5 spec and 89% of users have a browser recognizing it.

Although i guess it makes no sense since we dont support sms based 2fa.

Bug resolved on Firefox.

The upstream for Firefox was https://bugzilla.mozilla.org/show_bug.cgi?id=1547294

Izno moved this task from Backlog to Patch merged upstream on the Upstream board.Sep 18 2023, 4:44 AM

In T313058#9173376, @Izno wrote:

The upstream for Firefox was https://bugzilla.mozilla.org/show_bug.cgi?id=1547294

https://phabricator.services.mozilla.com/D158911

Looks like this has been, in theory, "fixed" for a while?

While https://caniuse.com/?search=one-time-code doesn't seem to agree, I only have (seemingly) 1Password trying to annoy me when entering the codes... Which is a different issue (and technically, 1Password could fill the TOTP there)

In T313058#9175581, @Reedy wrote:

In T313058#9173376, @Izno wrote:

The upstream for Firefox was https://bugzilla.mozilla.org/show_bug.cgi?id=1547294

https://phabricator.services.mozilla.com/D158911

Looks like this has been, in theory, "fixed" for a while?

While https://caniuse.com/?search=one-time-code doesn't seem to agree, I only have (seemingly) 1Password trying to annoy me when entering the codes... Which is a different issue (and technically, 1Password could fill the TOTP there)