Firefox might remember old 2FA logins
2fa firefox · 1 comment · 250 words
I'm big enough to admit when I make a mistake.
A few days ago I had a bit of a rant on Mastodon about how PayPal was encouraging browsers to remember 2FA codes.
I'd tried to log in to PayPal, went to enter my 2FA code and was presented with this:
But, this isn't PayPal's fault! Let's take a look at the code behind each input:
HTML
<input name="otpCode-0"
id="ci-otpCode-0"
aria-invalid="false"
placeholder=" "
aria-label="1-6"
role="textbox"
aria-describedby="otpCode" pattern="[0-9]*"
for="securityCodeInput"
autocomplete="one-time-code"
type="number"
value="">
It's correctly using autocomplete="one-time-code" which means that browsers shouldn't remember any entered codes. Indeed, Firefox has support this for nearly a year.
So why was I seeing the remnants of old codes?
I was set straight by Asif Youssuff who knows a heck of a lot about Firefox. He pointed out that the values might have been saved from prior to the fix. And, he was right!
Firefox doesn't remember new codes - but it will regurgitate old codes it had previously remembered.
I'm not sure if that's desirable or sensible. But it isn't the bug I thought it was!
I went through and manually deleted the old codes - they haven't since re-appeared.
@Edent interesting, almost feels like a Firefox bug. Glad it works as expected for new one time codes
More comments on Mastodon.