Back to Two Factor Authentication Support

offline
offline

Hello,

It's a good plugin, however the backend form when adding the 2FA code to login has autocomplete turned on. This is a real issue as when I click on the form all the old codes appear and are stored in the browser. To hack the 2FA all I need to do is have a collection of 2FA codes and timestamps. Please can you turn off the autocomplete to fix this security issue. Currently the code in the dom says the following:

<input id="token" type="number" name="key" value="" class="form-control input-icon" placeholder="Authentication code" autocomplete="one-time-code" autofocus="" inputmode="numeric" pattern="[0-9]*">

Please turn off the autocomplete for the 2FA form field.

Thanks.

VDLP
VDLP

Not sure if this is a "high risk" security issue, but I agree with you this data should not be stored in the browsers' cache.

We added autocomplete="one-time-code" to support SMS 2FA and/or Password Managers which will autocomplete this OTP field (see: https://developer.apple.com/documentation/security/password_autofill/enabling_password_autofill_on_an_html_input_element)

We'll take this in consideration, thanks for reaching out!

offline
offline

@VDLP

Thank you for updating the plugin.

p.s. Thanks for all your hard work with all your plugins and always answering people's comments and requests!

VDLP
VDLP

offline said:

@VDLP

Thank you for updating the plugin.

p.s. Thanks for all your hard work with all your plugins and always answering people's comments and requests!

With pleasure!

1-4 of 4