Description
Describe the bug
When you have TOTP enabled as a 2FA method, and you use TOTP integration of OSX, Safari will offer to autofill (and submit!) the TOTP code into the search field during the login flow.
Expected behavior
Safari should offer to autofill the TOTP code in the correct input field.
To Reproduce
- Enable TOTP as a 2FA method on Pypi
- Use the TOTP integration of OSX
- Log into Pypi, enter username and password
- On the next screen, Safari will offer to autofill the TOTP code into the search field:
My Platform
Safari on macOS Ventura 13.5.2
Additional context
Safari selecting the wrong form field may not be something you can control (I have no idea how it works), but even if it were to select the right field, I think the current login flow is not ideal:
I have a security key set up as my primary 2FA method and have only added TOTP tokens as a backup in case I lose my security key(s). I try to always use the security key on sites that allow it due to the phishing protection it offers compared to TOTP codes.
The way the login flow currently works on Pypi, all it takes to log in using TOTP with Safari is two consecutive presses of the fingerprint sensor: the first one autofills and submits username and password (OK), the second one autofills and submits the TOTP code (currently into the search field).
For comparison, this is what GitHub shows you after you have entered username and password, if you have both a security and TOTP enable as second factors:
The text input only appears after you explicitly select the TOTP option (authenticator app). Thus it is far less likely that you accidentally login using TOTP when you meant to use your security key. Also, the page has no other text inputs that could be auto-filled accidentally.