2FA Best Practice – Disable Autocomplete

by @edent | # # # | Read ~591 times.

Just a short usability / security post.

Hopefully, you’re all using Two-Factor Authentication on your important sites. As well as a username and password, you’ve also got to enter a one-time code. Usually it is generated by an app, or sent to you via SMS.

Each code can only be used once – which makes it all the more curious that, after a few logins, Twitter’s website looks like this:

twitter 2fa autocomplete-fs8

Now, is there any serious security concern? Well… probably not. Another user of a shared computer could see how many times a user has logged in, they could use the expired codes to reduce the attack surface, and potentially a code could be used as part of a social engineering attack (“To prove this email is genuine, your previous code was 12345”).

I’m sure more maliciously minded people than I could think of a few more. The point is, as a security conscious site, why take the risk?

The fix is simplicity itself:

<input type="number" autocomplete="off" />

Every modern browser respects the autocomplete directive. It simply means that dropdown list doesn’t appear.

Indeed, that’s what Facebook does:
facebook 2fa-fs8

It’s also what Google does:
Google 2fa-fs8

GitHub too:
Github 2fa-fs8

Indeed, every other site I’ve tried implements this best practice. I’ve reported this to Twitter – but they don’t seem that interested in fixing it.

Leave a Reply

Your email address will not be published. Required fields are marked *