This whole paragraph is incorrect. While the attribute value does allow multiple tokens there is a very specific syntax defined in the HTML standard and it doesn’t support multiple field names (types) i.e. autocomplete="username email" is invalid. If you access ‘input.autocomplete’ on an input with that attribute value “” will be returned indicating this.
I've updated the post, thank you for your help!
Nice. I didn't know about that.
But if building and maintaining app based TOTP using a library is good enough for you, then go for it. I'm certainly not going to make you use Twilio's APIs, but plenty of businesses do see the benefit.
See also: AWS.
Our new Linux login has username and password entry fields in separate (and successive) windows, and they look quite similar.
Since I enter my password much more often (to unlock) than my username, I built up a reflex of entering the password, and the rare times I have to enter my username I often type in the password instead, visible to anyone looking at the screen.
I see this new design as a security issue.
There's just nothing you can do about it if some users have passwords but other users have different authentication mechanisms.
I also have the opposite problem - sometimes I want Firefox to remember my username but not password; the only way seems to be to have it remember a dummy password (1 char so I recognise it as such) and then decline to 'update password' every time I change it in order to login.
But that's the point... how?
It recognizes that when the user confirms they've finished entering their username by clicking some kind of button.
At which point either a password box is shown or the alternative mechanism is shown.
There's no way to know in advance. And it's a UX problem if a password box is shown by default, because then users who don't have passwords think there's a bug in accessing the resource (because they don't have a password).
If your password manager has a problem with filling in the username, then the problem is with your password manager, not with the login flow. Starting with username-only is an industry standard for any product used in enterprises.
Focussing on the next field or button.
> And it's a UX problem if a password box is shown by default, because then users who don't have passwords think there's a bug in accessing the resource (because they don't have a password).
Hence why I said it can be hidden.
> If your password manager has a problem with filling in the username, then the problem is with your password manager
For sure not filling username only is a problem/missing feature with Firefox, I didn't claim otherwise. My main use for this feature is not dealing with what I consider to be bad UX, but logging in to sites that for security I don't want FF remembering my password.
> Starting with username-only is an industry standard for any product used in enterprises.
That's the complaint.
There is so much JS, no problem.
Some suggestions: https://www.twilio.com/blog/why-username-and-password-on-two...
> You definitely want to consider using these attributes if you are building a login form with the username and password on different pages.
The nice thing about using autocomplete with username and current-password is that it can help your password manager auto fill these fields across pages if they are implemented like this.
I'd say that's well supported, especially for the problem it's trying to solve (displaying the best keyboard for the input on mobile devices).
You shouldn't find yourself in too much trouble in a browser if you add an attribute to an element that it doesn't understand though, it will just ignore it.
At Twilio, we have APIs for two factor authentication and we recommend implementing via push notification to the Authy app with “approve” and “deny” buttons. This is more secure and a better experience than SMS. The API also allows for regular app based 2FA, with a TOTP code, which is more secure than SMS. But it also allows you to fallback to SMS, which is still more secure than no 2FA.
You do have to consider the threat model for your own application when considering these sort of security measures. If the value of an account takeover is high then a targeted attack can, and will, break SMS 2FA. Which is why the Twilio 2FA API allows you to turn off SMS 2FA if you choose.
Ultimately I’d prefer SMS over nothing when it comes to 2FA, but I also encourage developers to use more secure options that can also have a better experience.
This isn't always a good setup. Frequently implementors use SMS, once set up for 2FA, to do password resets.
This means that it's actually 1FA - get the sim, and you're in. No password required.
I'm not advocating for poorly implemented 2FA, just that SMS 2FA is more secure than just a password.
If a site required you to have a 32 character length password, but kept the passwords in plain text, that wouldn't make your password any less strong. It just opens a different attack vector. If a site implements 2FA via SMS, but allows password reset via SMS it doesn't make SMS 2FA less secure, it makes that sites implementation incorrect.
When my gf lived in Malaysia, she added her phone number to FB and forgot about it. Years later, after having moved back to Vietnam, the number was recycled and someone was able to use that number to gain access to her FB account and reset the password.
Had she never added her number to FB (and you can extend this to any service which offers SMS 2FA), her account would have been safe.
I'd argue that Twilio should remove SMS 2FA as an option. Period. Just move on from it. Please.
* Applications that take a phone number for one reason (2FA or otherwise) and also use it as a single factor for account reset are less secure in the case of number recyling.
* Applications that do 2FA via SMS do not necessarily do account resets via SMS
* 2FA over SMS is more secure than just having a password to secure an account.
I am sorry your girlfriend had this problem. I would have hoped a business like Facebook would better understand phone number usage. Their penchant for taking as much data as they can and using it however they like clearly burned some of their users here. I hope they have tightened up this hole and that this didn't affect too many people.
I apologize for going in circles one more time... but by not providing 2FA SMS, it is impossible to f'ck it up or be abused. Right?
There’s a lot more at play here, and “just don’t” isn’t a nuanced enough answer to 2FA by SMS.
The article is NOT about the merits of 2FA across SMS: that discussion is happening in about 10,000 other threads on Hacker News. Please go talk about it there.
From an identity assurance perspective, SMS is the best available. From an authentication perspective, it's increasingly dodgy.
Reality is telcos have user enrollment almost on par with bank KYC, where everything else has great authN but with user asserted identity.
Critics of SMS are technically correct, but 9/10x I don't think they have had to solve identity in an open or federated environment.
Are you sure? I don't mean that to sound hostile, genuinely asking. Because, at least in the States and Canada, I can get all of the +1 numbers I want on real SIMs for around a dollar apiece--or less if I work at it instead of just trotting down to Walgreens--and attach any name I want during the sign-up flow. In point of fact, I have a vanity 212 number I've owned for years. It is currently parked on a SIM registered to the name George Crabtree (that name even shows up on CID/CNAM).
Best part? The MVNO that provisioned the SIM is using a white-label service from one of the big four. Even the ICCID prefix is from the actual carrier and not the MVNO. That means that all of the automated API checks show it as a "normal" phone number provisioned on a "regular" SIM...and owned by Constable Crabtree.
Kind of implies the engineers who build it never ever use it?
Going from no 2FA to some 2FA is a more likely transition than going from bad 2FA to good 2FA (since bad 2FA still checks the 2FA box).
Surely SMS 2FA (without a backdoor) is better than nothing. Sites should still offer something better than SMS for 2FA as it has widely documented issues. But as an end user presented with SMS 2FA or no 2FA; SMS 2FA is the safer option.
Is there a reason to assume an arbitrary SMS 2FA implementation would have a back door? That would be news to me.
These tools generally put way too much trust into the phone number and allow someone who has compromised that number to take control of anything it has ever touched.
Phone numbers are very public and easy to steal in ways which are difficult to defend against.
Imagine someone in a domestic abuse situation having their phone taken, with sms 2fa, how hard would it be for that person to recover and retain access to their accounts and services?
With SMS 2FA someone who knows you personally and has control of your phone number is nearly impossible to escape.
All the adversary has to do is say "oh this was linked to my old number" and account support is super likely to just give access away.
You would have to be somewhat of an opsec expert to escape that hell, and even if you know everything it becomes impossible to defend yourself against the owners of your accounts giving access away.
The only real defense is to never associate your phone number with personal accounts which even then is often not possible.
I agree with everything you said about SMS for account recovery.
Account recovery that uses a phone number is weak. There was a paper on HN this week that detailed this.
However, if we are going to compare SMS 2FA (I.E. password plus code sent over SMS) against just password, SMS 2FA wins. In both cases I need to steal your password, the SMS part is an added challenge although it's easier to bypass than many people want.
Given SMS 2FA and any other 2FA option, SMS 2FA loses.
SMS as an authentication factor weakens the security because of all of the additional behaviors associated with the account provider which are inescapable.
> The only real defense is to never associate your phone number with personal accounts which even then is often not possible.
Yes that's exactly right. If I don't trust a website to not use my phone number as the sole factor for recovery, then I should not use SMS 2FA on that site and I should not add my phone number to any part of my profile. If I know (how?) that the website won't use SMS for recovery, then SMS 2FA is better than nothing.
As a website owner, if I offer SMS 2FA auth and use SMS in isolation for recovery, then I'd want to stop using SMS for recovery. After that, removing SMS 2FA and not offering any second factor would weaken my security. I.E. SMS 2FA is weak but better than nothing. SMS single factor recovery is terrible, fix that ASAP.
It might be good for your use case, but systematically SMS is bad for security in a global society sense.
Depending on how abusive you are thinking, that sounds like rubber hose cryptanalysis. That's a hugely powerful approach and I think all 2FA can be bypassed with that, if not most of modern cryptography.
> having their phone taken
Keep in mind that other 2FA methods also are phone based, like TOTP / Google Authenticator. Those also fail if your unlocked phone is taken. SMS is even weaker than those, but still better as a second factor versus nothing.
If somebody has your phone, a physical address associated with you, and some basic biographical information, they can continue recovering access to your accounts in a way which is difficult to escape, especially because of the misplaced trust in using phone numbers for security.
The threat in that situation is being vulnerable and having to digitally escape as well as physically escape, and if you don't do both simultaneously you can be continuously compromised in a way which is very difficult to succeed.
SMS 1FA isn’t stronger than a good password or a pw manager but I think it’s fair to say that it’s better than the typical password.
If no 2fa is active on the account, just accept anything (including empty strings) in that field.
You could obviously add some info message below or above, but people tend to be terrible at reading.
Maybe if the 2FA input field is below the login button, after some text explaining it’s function..?
I’d love to see some UX test results on this with a bunch of real users of varying tech skill levels.
Besides you can always dynamically hide (or show) the 2fa option if the email or username doesn't have 2fa enabled.
A simpler one that the pattern attribute, but more hacky-er, is using input type="tel", which I’ve also seen used for credit card number inputs.
I work for an IAM consultancy/reseller and work on SAASPASS implementations.