2FA Best Practice - Disable Autocomplete
2fa security twitter · 4 comments · 250 words · read ~684 times.
Just a short usability / security post.
Hopefully, you're all using Two-Factor Authentication on your important sites. As well as a username and password, you've also got to enter a one-time code. Usually it is generated by an app, or sent to you via SMS.
Each code can only be used once - which makes it all the more curious that, after a few logins, Twitter's website looks like this:
Now, is there any serious security concern? Well... probably not. Another user of a shared computer could see how many times a user has logged in, they could use the expired codes to reduce the attack surface, and potentially a code could be used as part of a social engineering attack ("To prove this email is genuine, your previous code was 12345").
I'm sure more maliciously minded people than I could think of a few more. The point is, as a security conscious site, why take the risk?
The fix is simplicity itself:
<input type="number" autocomplete="off" />
Every modern browser respects the autocomplete directive. It simply means that dropdown list doesn't appear.
Indeed, that's what Facebook does: 
It's also what Google does: 
GitHub too: 
Indeed, every other site I've tried implements this best practice. I've reported this to Twitter - but they don't seem that interested in fixing it.
Should browsers remember 2FA codes?
autocomplete="one-time-code"to get value from SMS, mail or any notification. Support is unequal I think (both OSes and browsers), but better than nothing.