Just a short usability / security post.
Hopefully, you’re all using Two-Factor Authentication on your important sites. As well as a username and password, you’ve also got to enter a one-time code. Usually it is generated by an app, or sent to you via SMS.
Each code can only be used once – which makes it all the more curious that, after a few logins, Twitter’s website looks like this:
Now, is there any serious security concern? Well… probably not. Another user of a shared computer could see how many times a user has logged in, they could use the expired codes to reduce the attack surface, and potentially a code could be used as part of a social engineering attack (“To prove this email is genuine, your previous code was 12345”).
I’m sure more maliciously minded people than I could think of a few more. The point is, as a security conscious site, why take the risk?
The fix is simplicity itself:
<input type="number" autocomplete="off" />
Every modern browser respects the autocomplete directive. It simply means that dropdown list doesn’t appear.
Indeed, that’s what Facebook does:
It’s also what Google does:
Indeed, every other site I’ve tried implements this best practice. I’ve reported this to Twitter – but they don’t seem that interested in fixing it.