Support » Plugin: Two Factor Authentication » Please turn off autocomplete on the OTP input field

  • Resolved Paddy Landau

    (@paddy-landau)


    When the OTP screen is shown, autocomplete is on (the default in HTML). This means that the field remembers all the entries previously typed, and additionally shows a nonsense entry — for me, it’s usually my username. The field should be blank, ready to accept the OTP as typed by the user.

    To fix this, the input field needs the autocomplete attribute to be turned off, as:

    <input autocomplete="off" ... />

    Please would you add the autocomplete entry to the OTP input field.

    Thank you

Viewing 15 replies - 1 through 15 (of 20 total)
  • Plugin Author David Anderson

    (@davidanderson)

    It’s already there – use your browser DOM inspector to confirm.

    I guess you’re using Google Chrome. They’ve decided that it should be ignored. https://bugs.chromium.org/p/chromium/issues/detail?id=914451 .

    Ah, thank you for that. Yes, I’m using Chrome.

    I’ve starred the issue. I hope that they do something with it.

    Plugin Author David Anderson

    (@davidanderson)

    I have read a suggestion that changing autocomplete="off" to autocomplete="tfa" might achieve the desired result. Does that work for you? (Search for autocomplete in includes/tfa.js and includes/wooextend.js in the plugin).

    Thanks for the recommendation. I’ve tried it, and I still get my username shown as the recommended value for the OTP.

    According to what I’ve read — but please be aware that I am not an expert — only the values “off” and “on” are specified for autocomplete. If I’m right, “tfa” would be non-standard.

    Thanks, anyway. I’ll just have to live with it until Google fixes Chrome.

    Edward

    (@edwardsh)

    David,

    while google sleeps try using combination type=”number” and autocomplete=”one-time-code” or at least type=”number”.

    It seems that it solves the problem for all Chromium-based browsers (Chrome, Opera, Yandex). Firefox seems work fine too.

    Plugin Author David Anderson

    (@davidanderson)

    @edwardsh Unfortunately setting the input type to number causes arrows/spinners to appear, which can only be turned off in some browsers with non-standard browser-specific CSS.

    Does autocomplete="one-time-code" not do it for you on its own? (I’m having trouble testing – my install of Chrome is never auto-completing, for some reason, on these fields, so I have not been able to reproduce the problem).

    If that doesn’t work, how about if you also add the attribute pattern="[0-9]{1,}" ? (That specifies that the input should be numeric, so should discourage the browser from auto-filling with something invalid).

    Paddy Landau

    (@paddy-landau)

    I have tested those suggestions, using pattern="[0-9]{6}", but it doesn’t make a difference for me. Oh well. Let’s wait for Google to fix Chrome.

    Plugin Author David Anderson

    (@davidanderson)

    It’ll auto-fill with a username that doesn’t match the required pattern? Presumably then it complains if you try to submit it?

    I don’t believe Google are intending to “fix” Chrome; they consider ignoring the autocomplete hint and running their own logic to be the optimal behaviour.

    Paddy Landau

    (@paddy-landau)

    It’ll auto-fill with a username that doesn’t match the required pattern?

    Yes, it does! Bizarre.

    Presumably then it complains if you try to submit it?

    Yes, at least it has the sense to prevent submission.

    Edward

    (@edwardsh)

    David,

    autocomplete = “one-time-code” does not work for me alone

    the combination autocomplete = “one-time-code” & tfa_field.pattern = ‘[0-9] {1,}’ does not work either

    type=”number” do work alone

    I think that besides ignoring autocomplete = “off”, the Chrome heuristic is mistaken in defining the field for the username. And that’s the whole point. At the first login (when Chrome does not know anything about the site, there are no saved passwords and the site is not specified as “do not save passwords”), it suggests saving just entered TFA code as a login. In other words, I think Chrome associates the TFA field with the username and ignores the rule, since the username should not be empty. What signs he uses, I do not know. Perhaps it checks name and id attributes of all form fields.

    As for the arrows, it seems to me that this is not a problem if this does not violate the program logic of the plugin. Just an additional visual effect that I didn’t even immediately notice when testing. But type = namber can save a call to the site if the user enters incorrect data, such as letters. So probably I will stick with it if I don’t find a better workaround.

    Paddy Landau

    (@paddy-landau)

    If you are correct in that Chrome thinks that the 2FA field is in fact a username, the question becomes, “Why does it think that?” Is it something to do with the ID of the field?

    Plugin Author David Anderson

    (@davidanderson)

    Well, it’s called two_factor_code and has ID two_factor_auth.

    I guess they’re probably doing something simplistic like “vertically highest displaying field on a login form”. Probably the best place to pursue it is the Chrome bug-tracker. I’m not keen on ugly hacks in the plugin that may need re-doing next time they fiddle with something; if Chrome is faulty, it’s best for a Chrome user to report that to them and get it fixed at source.

    Edward

    (@edwardsh)

    Paddy,

    what login plugin do you use with TFA? Could you show your input field for username?

    I use Theme My Login plugin where input field described as
    <input name=”log” type=”text” value=”” id=”user_login” class=”tml-field”>

    Perhaps, changing of name and id attributes may help.

    Paddy Landau

    (@paddy-landau)

    @edwardsh — I don’t fully understand your question. This is the forum for the plugin Two Factor Authentication. This isn’t the forum for the Theme My Login plugin.

    Are you saying that it works for you when you use that plugin together with this one? If so, I shall give it a try.

    Edward

    (@edwardsh)

    The problem is obviously not in the TFA plugin, but in how Chrome determines the username field. Perhaps Chrome analyzes the attributes of id and name of all forms on the page. That is why I asked you a question.

Viewing 15 replies - 1 through 15 (of 20 total)
  • You must be logged in to reply to this topic.