> You can use more than one autocomplete value at a time too. If your username is also an email address you can give the browser and any associated password managers a hint with ‘autocomplete="username email"’.<p>This whole paragraph is incorrect. While the attribute value does allow multiple tokens there is a very specific syntax defined in the HTML standard and it doesn’t support multiple field names (types) i.e. autocomplete="username email" is invalid. If you access ‘input.autocomplete’ on an input with that attribute value “” will be returned indicating this.
What this write up on 2fa is missing is that rather than using proprietary solutions like authy, we should be moving towards what we’ve now standardised as webauthn. If we had platform authenticators or we had a google/apple first party implementation of something like Krypton, we would be in such a better place security wise.
> In a sign up form, make sure to use the "new-password" value as it triggers password suggestions in some browsers.<p>Nice. I didn't know about that.
While Twilio does a lot right, they still only offer SMS and their own proprietary Authy solution for 2FA for their website. No TOTP (and still no plan to offer the industry standard) means that this has a whiff of hypocrisy.
These are all super nice and I really wish more developers made use of these, but my main complain is not having username and password fields on the same page :/
The article is about how to improve a UI/UX using lesser known HTML properties. The article does a great job: these tags are helpful and not everyone reads the spec for fun.<p>The article is NOT about the merits of 2FA across SMS: that discussion is happening in about 10,000 other threads on Hacker News. Please go talk about it there.
Dealing with 2FA ux right now. There is a massive gap between threat intel people, product owners, and end users.<p>From an identity assurance perspective, SMS is the best available. From an authentication perspective, it's increasingly dodgy.<p>Reality is telcos have user enrollment almost on par with bank KYC, where everything else has great authN but with user asserted identity.<p>Critics of SMS are technically correct, but 9/10x I don't think they have had to solve identity in an open or federated environment.
Authy’s iOS app still doesn’t have an actions/app helper, so every time you need to switch to the home screen, find & launch it, search for the site, close the keyboard (the copy button is obscured by it), hit copy, then switch back to Safari/wherever and paste. So much friction.<p>Kind of implies the engineers who build it never ever use it?
Is type supposed to be "text" instead of "number" in the inputmode snippet? Wouldn't it still strip leading zeros the way it is now (with type set to "number")?
I want a one-step-login. Not two step (first username, then password) and certainly not three step (username, password, 2fa, all in seperate pages). This braindead concept needs to die.<p>If no 2fa is active on the account, just accept anything (including empty strings) in that field.
This is a really cool and informative article. I had head of the 'pattern' attribute before, but I hadn't come across 'inputmode' before. This will solve a ton of headaches for my future development work.
> For older browsers there is another trick to trigger the numeric keyboard and include a bit of extra validation for free.<p>A simpler one that the pattern attribute, but more hacky-er, is using input type="tel", which I’ve also seen used for credit card number inputs.
SAASPASS has a much better 2FA user experience on the mobile phone than SMS including URL callback to the 2FA app and app to app with SDK. For desktop environments configurable MFA methods include scanning encrypted barcodes and push login. More on the developer environment is here:<p>developer.saaspass.com<p>I work for an IAM consultancy/reseller and work on SAASPASS implementations.