In HTML, the
autocomplete attribute is pretty handy.
autocompleteattribute is available on
<input>elements that take a text or numeric value as input,
autocompletelets web developers specify what if any permission the user agent has to provide automated assistance in filling out form field values, as well as guidance to the browser as to the type of information expected in the field.
In plain English - your browser remembers your email address and presents it in a drop-down box when you try to log in to a service.
That's pretty cool, right? It's useful for accessibility. And there are a bunch of "hints" to help the browser know what data to fill in - so it doesn't accidentally put your postal address where your email address should go.
One of these hints is
one-time-code. The theory is, your browser can auto-fill the
<input> with a two-factor-authentication code. A phone's browser might automatically grab the 2FA when it receives an SMS. Or a desktop browser might see the code in the user's clipboard. Clever, huh?
The thing about one-time codes is that they're designed to be used once. A code is typically valid for around 60 seconds. After that, it's useless. The service will refuse you entry and ask for another code. So there is no point having the browser remember the code to let you re-use it later.
Firefox and Chrome both remember 2FA codes and "helpfully" show them in a dropdown. Why?
There is no world where a user would want to re-enter the same 2FA code. If they mistyped the code the first time, showing it again isn't helpful. There is close to zero chance of a previous 2FA code being the same as my current 2FA code. Remembering 2FA codes is a bug, not a feature.
I'm not the first to notice this:
— Kai Hendry (@kaihendry) August 7, 2021
This irritates me far more than it should. If you're coding up a 2FA form, autocomplete=off please 👍 pic.twitter.com/jXBRithoH5
— Dave Marshall (@davedevelopment) September 18, 2018
— UX Opportunities (@UXOpportunities) April 29, 2021
→ user with 2FA enabled
→ the 6-digit password field to have autocomplete
So that I can…
→ save time whenever I win the 2FA lottery
— Lynn (@chordbug) February 22, 2021
In fact, I've been ranting about this since 2014.
Please - browser manufacturers and spec writers - do some user research to see if the feature you're developing is useful to real-life users.