On April 24, 2020, I learned...

There’s an input attribute for a one-time code

You know the little text message you get when logging into a site where you have two-factor authentication enabled?

Screenshot of the Apple Messages desktop app with a message from Dropbox containing a six-digit code to log in.

Apparently, that’s something HTML can fetch straight from a message app and use to autocomplete a numeric/password input that has the autocomplete="one-time-code" attribute on it.

Source / Spec

Comments

  1. Michael Car
    # May 1, 2020

    Hey, there…
    That autocomplete=”one-time-code” seems like it will be very helpful, thanks. Errm, I uhh…I am rather embarrassed to have to ask this, but where would I enter this attribute in regards to the 2FA, or, even more embarrassing, did you mention this as a kind of precautionary “see how easy it is for someone to copy your clipboard (which I’ve been hearing about a lot lately), so be careful, etc” measure? I apologize for the possibly-dumb question. And thank you for your time and help (hopefully). :-)

    Reply
    • Geoff Graham
      # May 1, 2020

      Not a dumb question at all! I haven’t played with the attribute yet, but I imagine that adding it to an input (e.g. <input type="password" autocomplete="one-time-code"&gt; will tell the field to look for incoming or received messages with a code it can use to autocomplete the field, regardless of how 2FA is implemented.

      I’ve seen the autocomplete option come up before when I’ve received a text message containing a one-time-time (such as Dropbox). I’ll have to snag a screenshot of that and add it here next time I’m able to catch it.

  2. # May 18, 2020

    Do you know how exactly it works? I guess on mobile OSes like Android and iOS browser receives notifications from system when the SMS is received, that’s clear. But what about desktop? Does it work there and how exactly? Which apps are supported, is there some specially protocol for exchanging data between browser and other software?

    Reply
    • # June 3, 2020

      I haven’t played with it yet, but the screenshot in the post was taken straight from my desktop, using the MacOS Messages app. I’d imagine the same would be true of any app that receives text messages sent to your phone number.

Leave a Reply

Markdown supported