Firefox might remember old 2FA logins

By admin
I’m big enough to admit when I make a mistake.


A few days ago
DATE

I had a bit of a rant on

Mastodon
PERSON

about how PayPal was encouraging browsers to remember 2FA codes.

I’d tried to log in to PayPal, went to enter my 2FA code and was presented with this:

But, this isn’t PayPal’s fault! Let’s take a look at the code behind each input:

<input name="otpCode-0" id="ci-otpCode-0" aria-invalid="false"

placeholder=
PERSON

" " aria-label="1-6" role="textbox" aria-describedby="otpCode" pattern="[0-9]*" for="securityCodeInput" autocomplete="one-time-code" type="number"

value=
PERSON

"">

It’s correctly using autocomplete="one-time-code" which means that browsers shouldn’t remember any entered codes. Indeed,

Firefox
ORG

has support this for

nearly a year
DATE

.

So why was I seeing the remnants of old codes?

I was set straight by

Asif Youssuff
PERSON

who knows a heck of a lot about Firefox. He pointed out that the values might have been saved from prior to the fix. And, he was right!

Firefox doesn’t remember new codes – but it will regurgitate old codes it had previously remembered.

I’m not sure if that’s desirable or sensible. But it isn’t the bug I thought it was!

I went through and manually deleted the old codes – they haven’t since re-appeared.