Photo of Terence Eden. He has a beard and is smiling.

Should browsers remember 2FA codes?

· 5 comments · 550 words · read ~386 times.

In HTML, the autocomplete attribute is pretty handy.

The HTML autocomplete attribute is available on <input> elements that take a text or numeric value as input, <textarea> elements, <select> elements, and <form> elements. autocomplete lets web developers specify what if any permission the user agent has to provide automated assistance in filling out form field values, as well as guidance to the browser as to the type of information expected in the field. https://developer.mozilla.org/en-US/docs/Web/HTML/Attributes/autocomplete

In plain English - your browser remembers your email address and presents it in a drop-down box when you try to log in to a service.

That's pretty cool, right? It's useful for accessibility. And there are a bunch of "hints" to help the browser know what data to fill in - so it doesn't accidentally put your postal address where your email address should go.

One of these hints is one-time-code. The theory is, your browser can auto-fill the <input> with a two-factor-authentication code. A phone's browser might automatically grab the 2FA when it receives an SMS. Or a desktop browser might see the code in the user's clipboard. Clever, huh?

But...

The thing about one-time codes is that they're designed to be used once. A code is typically valid for around 60 seconds. After that, it's useless. The service will refuse you entry and ask for another code. So there is no point having the browser remember the code to let you re-use it later.

And yet...

Screenshot of the GitHub two-factor authentication screen. The use has typed the number 2 - and a dropdown shows a previously entered 2FA code. The HTML code shows the autocomplete attribute.

Firefox and Chrome both remember 2FA codes and "helpfully" show them in a dropdown. Why?

There is no world where a user would want to re-enter the same 2FA code. If they mistyped the code the first time, showing it again isn't helpful. There is close to zero chance of a previous 2FA code being the same as my current 2FA code. Remembering 2FA codes is a bug, not a feature.

I'm not the first to notice this:

In fact, I've been ranting about this since 2014.

Please - browser manufacturers and spec writers - do some user research to see if the feature you're developing is useful to real-life users.

Share this post on…

  • Mastodon
  • Facebook
  • LinkedIn
  • BlueSky
  • Threads
  • Reddit
  • HackerNews
  • Lobsters
  • WhatsApp
  • Telegram

5 thoughts on “Should browsers remember 2FA codes?”

What are your reckons?

All comments are moderated and may not be published immediately. Your email address will not be published.

Allowed HTML: <a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <s> <strike> <strong> <p> <pre> <br> <img src="" alt="" title="" srcset="">