Describe the bug
The input field for the two-factor authentication (2FA) OTP code on the login page has its autocomplete attribute set to "new-password". This causes password managers (e.g. Bitwarden, 1Password, etc.) to treat the field as a new password field and offer to save a new password, instead of recognizing it as a one-time code field. As a result, automatic OTP autofill is not possible and users are repeatedly prompted to save a new password.
The relevant HTML snippet confirms this:
<input name="otp" ng-model="user.otp" type="password" ng-disabled="isLogginIn"
focus-me="twoFAMode || twoFANotCorrect"
autocomplete="new-password"
class="ng-pristine ng-valid md-input ng-empty ng-touched"
id="input_4" aria-invalid="false">The correct value for the autocomplete attribute should be "one-time-code" as per the HTML specification.
To Reproduce
Steps to reproduce the behavior:
- Navigate to the MONARC login page (e.g. https://my.monarc.lu)
- Enter username and password and submit
- The 2FA screen appears with the field labeled "Zwei-Faktor-Verifizierungscode" (Two-Factor Verification Code)
- Observe that a password manager incorrectly identifies the field as a new password field and prompts to save a new password
Expected behavior
The autocomplete attribute of the OTP input field should be set to "one-time-code" so that password managers and browsers correctly identify the field as a one-time code input. This would prevent incorrect password-save prompts and enable proper OTP autofill support.
Screenshots
See attached screenshots showing:
- The HTML source of the affected input field with
autocomplete="new-password"
- The browser developer tools accessibility panel confirming the field is labeled "Zwei-Faktor-Verifizierungscode" with role
textbox
Desktop (please complete the following information):
| Questions |
Answers |
| Type of issue |
Bug |
| OS version (server) |
N/A (Cloud: my.monarc.lu) |
| OS version (client) |
Unknown |
| PHP version |
N/A (Cloud) |
| MONARC version / git hash |
2.13.4 |
| Browser |
Microsoft Edge 148.0.3967.70 |
Additional context
The fix is straightforward: changing autocomplete="new-password" to autocomplete="one-time-code" on the OTP input field would resolve this issue. This is a low-effort change with a significant positive impact on usability and compatibility with password managers and browser autofill features.
<img width="718" height="339" alt="Image" src="https://github.com/user-attachments/assets/b8ccc84d-83ab-4ea5-ba5d-185ab07a8ca5" />
<img width="509" height="81" alt="Image" src="https://github.com/user-attachments/assets/96f28415-f09d-4fe1-a5ec-2955c9a98500" />
Describe the bug
The input field for the two-factor authentication (2FA) OTP code on the login page has its
autocompleteattribute set to"new-password". This causes password managers (e.g. Bitwarden, 1Password, etc.) to treat the field as a new password field and offer to save a new password, instead of recognizing it as a one-time code field. As a result, automatic OTP autofill is not possible and users are repeatedly prompted to save a new password.The relevant HTML snippet confirms this:
The correct value for the
autocompleteattribute should be"one-time-code"as per the HTML specification.To Reproduce
Steps to reproduce the behavior:
Expected behavior
The
autocompleteattribute of the OTP input field should be set to"one-time-code"so that password managers and browsers correctly identify the field as a one-time code input. This would prevent incorrect password-save prompts and enable proper OTP autofill support.Screenshots
See attached screenshots showing:
autocomplete="new-password"textboxDesktop (please complete the following information):
Additional context
The fix is straightforward: changing
autocomplete="new-password"toautocomplete="one-time-code"on the OTP input field would resolve this issue. This is a low-effort change with a significant positive impact on usability and compatibility with password managers and browser autofill features.