Firefox might remember old 2FA logins

I'm big enough to admit when I make a mistake.

A few days ago I had a bit of a rant on Mastodon about how PayPal was encouraging browsers to remember 2FA codes.

I'd tried to log in to PayPal, went to enter my 2FA code and was presented with this:

Screenshot of the PayPal login screen. The 2FA login has individual inputs for each number. The first input has a dropdown featuring 3 single numbers.

The third number has a dropdown featuring3 single numbers.

But, this isn't PayPal's fault! Let's take a look at the code behind each input:

<input name="otpCode-0" 
       placeholder=" " 
       aria-describedby="otpCode" pattern="[0-9]*" 

It's correctly using autocomplete="one-time-code" which means that browsers shouldn't remember any entered codes. Indeed, Firefox has support this for nearly a year.

So why was I seeing the remnants of old codes?

I was set straight by Asif Youssuff who knows a heck of a lot about Firefox. He pointed out that the values might have been saved from prior to the fix. And, he was right!

Firefox doesn't remember new codes - but it will regurgitate old codes it had previously remembered.

I'm not sure if that's desirable or sensible. But it isn't the bug I thought it was!

I went through and manually deleted the old codes - they haven't since re-appeared.

Share this post on…

One thought on “Firefox might remember old 2FA logins”

What are your reckons?

All comments are moderated and may not be published immediately. Your email address will not be published.Allowed HTML: <a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <s> <strike> <strong> <p> <pre> <br> <img src="" alt="" title="" srcset="">

Discover more from Terence Eden’s Blog

Subscribe now to keep reading and get access to the full archive.

Continue reading