2FA input box isn't hinted as a password, so browsers suggest auto-fills


#1

Observed Behavior:
When entering secure mode and prompted to input the TOTP/etc. 2FA code, browser suggest potential auto-fill options for the input box based on previous inputs.

Expected Behavior:
The form, or at least the input, should be marked autocomplete="off", so that this doesn’t happen.

Phabricator Version:
phabricator 8cbf206d35de724e6f31de856f9e4b7e51c92e51 (Aug 8 2018) as used at Wikimedia

Reproduction Steps:
With a 2FA account, attempt to enter the TOTP prompt that starts with at least once of the digits of a value previously entered with that browser. (Obviously, ensure your browser isn’t in some odd mode where it doesn’t remember/prompt autofills.)

[It’s sad that you took away our ability to file these bugs as tasks on Phabricator and instead route us through a customer support system.]


#2

I couldn’t immediately get any of my browsers to autocomplete this field, and I think browser behavior is fairly questionable here, but see https://secure.phabricator.com/D19722.

[It’s sad that you took away our ability to file these bugs as tasks on Phabricator and instead route us through a customer support system.]

See https://discourse.phabricator-community.org/t/projectphids-is-missing-from-maniphest-search/1966 perhaps.