open-ui icon indicating copy to clipboard operation
open-ui copied to clipboard

Published 20 hours ago verified publisher icon openui

Add a new input type for verification codes

Open alejsanc opened this issue 2 years ago • 8 comments
trafficstars

A verification code sent by SMS is increasingly used as double authentication. To enter this code and make it not visible it is common to use a password input. When the browser sees a password input it thinks it is a user password and gives you the opportunity to save the password. To avoid this, a new "verification-code" input could be used.

<input type="verification-code"/>

alejsanc avatar Jul 02 '23 11:07 alejsanc

Some prior work in this space:

dbaron avatar Jul 05 '23 20:07 dbaron

@alejsanc any reasons that the autocomplete solution provided by @dbaron won't suffice?

gregwhitworth avatar Jul 11 '23 00:07 gregwhitworth

@alejsanc is there anything further you'd like to add or can I go ahead and close this issue?

lukewarlow avatar Sep 18 '23 23:09 lukewarlow

Ah rereading this I guess the request is for a way to hide the contents of an input that isn't type password. Which I think is a valid request. But probably better directed to the CSSWG directly.

https://github.com/w3c/csswg-drafts/issues/6788 mentions something similar (more about toggling the obfuscation of password inputs)

I would like to say that the context of this request is odd though. Why does a one time code need obscuring on entry? Anyone looking of their shoulder shouldn't have enough time to enter this code in a useful manner regardless of whether they can see it?

lukewarlow avatar Sep 21 '23 14:09 lukewarlow

The CSSWG is not the correct location for this but WHATWG.

Why does a one time code need obscuring on entry?

+1 from me but honestly this would be easy to implement by merely duplicating the majority of password outside of the various namings.

gregwhitworth avatar Sep 22 '23 22:09 gregwhitworth

I thought csswg for a new "input-obscure" property. But yeah for a whole new input type it'd be whatwg

lukewarlow avatar Sep 24 '23 11:09 lukewarlow

I would like to say that the context of this request is odd though. Why does a one time code need obscuring on entry? Anyone looking of their shoulder shouldn't have enough time to enter this code in a useful manner regardless of whether they can see it?

Both by computer and manual means, the user can be stopped before using the code and give the attacker time. In general, the more barriers the attacker has, the better.

alejsanc avatar Nov 15 '23 20:11 alejsanc

There hasn't been any discussion on this issue for a while, so we're marking it as stale. If you choose to kick off the discussion again, we'll remove the 'stale' label.

github-actions[bot] avatar May 16 '24 00:05 github-actions[bot]