2FA Best Practice - Disable Autocomplete
2fa security twitter · 4 comments · 250 words · read ~684 times.
Just a short usability / security post.
Hopefully, you're all using Two-Factor Authentication on your important sites. As well as a username and password, you've also got to enter a one-time code. Usually it is generated by an app, or sent to you via SMS.
Each code can only be used once - which makes it all the more curious that, after a few logins, Twitter's website looks like this:
Now, is there any serious security concern? Well... probably not. Another user of a shared computer could see how many times a user has logged in, they could use the expired codes to reduce the attack surface, and potentially a code could be used as part of a social engineering attack ("To prove this email is genuine, your previous code was 12345").
I'm sure more maliciously minded people than I could think of a few more. The point is, as a security conscious site, why take the risk?
The fix is simplicity itself:
<input type="number" autocomplete="off" />
Every modern browser respects the autocomplete directive. It simply means that dropdown list doesn't appear.
Indeed, that's what Facebook does: 
It's also what Google does: 
GitHub too: 
Indeed, every other site I've tried implements this best practice. I've reported this to Twitter - but they don't seem that interested in fixing it.
Should browsers remember 2FA codes?
@Edent We have one of those bank tokens (as they call them) to authorise payments at work and, yup, every previous code I've entered shows in the box on the bank's website 🤷♀️
@Edent On single input 2fa, you may use
autocomplete="one-time-code"to get value from SMS, mail or any notification.Support is unequal I think (both OSes and browsers), but better than nothing.
@Edent it used to drive me absolutely insane that Nominet didn’t have autocomplete disabled for TOTP 2FA on the login form for registrar online services, and thanks to their horrifically slow development, it took literally YEARS for them to eventually get around to to fixing it, despite it being so trivial! 🤦🏻♂️
I did once have a collision on a 2FA code with something in the (rather extensive) autocomplete list saved in my browser, but I could have fat-fingered a previous code 🤷🏻♂️
@Edent This is such a pathetic abrogation of the most basic responsibilities of being a web developer (… and QA team, and product manager.) Why are we like this?