by mnoorenberghe on 1/12/20, 10:05 AM
> You can use more than one autocomplete value at a time too. If your username is also an email address you can give the browser and any associated password managers a hint with ‘autocomplete="username email"’.
This whole paragraph is incorrect. While the attribute value does allow multiple tokens there is a very specific syntax defined in the HTML standard and it doesn’t support multiple field names (types) i.e. autocomplete="username email" is invalid. If you access ‘input.autocomplete’ on an input with that attribute value “” will be returned indicating this.
by noodlesUK on 1/12/20, 1:37 AM
What this write up on 2fa is missing is that rather than using proprietary solutions like authy, we should be moving towards what we’ve now standardised as webauthn. If we had platform authenticators or we had a google/apple first party implementation of something like Krypton, we would be in such a better place security wise.
by stockkid on 1/11/20, 9:33 PM
> In a sign up form, make sure to use the "new-password" value as it triggers password suggestions in some browsers.
Nice. I didn't know about that.
by casca on 1/11/20, 10:51 PM
While Twilio does a lot right, they still only offer SMS and their own proprietary Authy solution for 2FA for their website. No TOTP (and still no plan to offer the industry standard) means that this has a whiff of hypocrisy.
by ayberk on 1/11/20, 10:08 PM
These are all super nice and I really wish more developers made use of these, but my main complain is not having username and password fields on the same page :/
by philnash on 1/11/20, 9:52 PM
Hello! I’m the author of this article. Thanks for posting! Here’s to the power of HTML attributes and better sign in experiences for everyone.
by 0xff00ffee on 1/12/20, 7:45 PM
The article is about how to improve a UI/UX using lesser known HTML properties. The article does a great job: these tags are helpful and not everyone reads the spec for fun.
The article is NOT about the merits of 2FA across SMS: that discussion is happening in about 10,000 other threads on Hacker News. Please go talk about it there.
by motohagiography on 1/11/20, 11:46 PM
Dealing with 2FA ux right now. There is a massive gap between threat intel people, product owners, and end users.
From an identity assurance perspective, SMS is the best available. From an authentication perspective, it's increasingly dodgy.
Reality is telcos have user enrollment almost on par with bank KYC, where everything else has great authN but with user asserted identity.
Critics of SMS are technically correct, but 9/10x I don't think they have had to solve identity in an open or federated environment.
by amatix on 1/12/20, 1:11 PM
Authy’s iOS app still doesn’t have an actions/app helper, so every time you need to switch to the home screen, find & launch it, search for the site, close the keyboard (the copy button is obscured by it), hit copy, then switch back to Safari/wherever and paste. So much friction.
Kind of implies the engineers who build it never ever use it?
by skunkworker on 1/11/20, 9:38 PM
I wish more sites would follow these protocols. When you have a numeric 2FA with a regular keyboard it feels less polished.
by akersten on 1/12/20, 3:28 AM
Is type supposed to be "text" instead of "number" in the inputmode snippet? Wouldn't it still strip leading zeros the way it is now (with type set to "number")?
by daveFNbuck on 1/12/20, 7:08 PM
I didn't know about the one-time-code autocomplete. How do they prevent this from being used to steal one-time passwords sent by other sites?
by QuinnyPig on 1/12/20, 2:14 AM
I’d give a lot to be able to forcibly delete Authy-specific 2FA accounts from the app. Today I’m stuck with old dead account tokens.
by tobyhinloopen on 1/11/20, 9:40 PM
Didn’t we just learn you shouldn’t use SMS 2FA?
by gsich on 1/12/20, 3:59 AM
I want a one-step-login. Not two step (first username, then password) and certainly not three step (username, password, 2fa, all in seperate pages). This braindead concept needs to die.
If no 2fa is active on the account, just accept anything (including empty strings) in that field.
by cyberferret on 1/11/20, 9:37 PM
This is a really cool and informative article. I had head of the 'pattern' attribute before, but I hadn't come across 'inputmode' before. This will solve a ton of headaches for my future development work.
by duxup on 1/12/20, 1:23 AM
If I'm doing verification I usually need more than"pattern" will allow, usually providing more feedback or something more complex.
by homero on 1/12/20, 6:43 AM
Twitter has the worst one where they don't trim whitespace so pastes can fail. How hard is adding trim()
by hk__2 on 1/11/20, 11:58 PM
> For older browsers there is another trick to trigger the numeric keyboard and include a bit of extra validation for free.
A simpler one that the pattern attribute, but more hacky-er, is using input type="tel", which I’ve also seen used for credit card number inputs.
by notlukesky on 1/11/20, 9:50 PM
SAASPASS has a much better 2FA user experience on the mobile phone than SMS including URL callback to the 2FA app and app to app with SDK. For desktop environments configurable MFA methods include scanning encrypted barcodes and push login. More on the developer environment is here:
developer.saaspass.com
I work for an IAM consultancy/reseller and work on SAASPASS implementations.