Change autocomplete attribute to 'one-time-code'

Created a merge request, adding the patch for own use.

+1 to the proposal as a concept. I didn't review the code for completeness/effectiveness.

I think this should maybe go into 2.x first and then be backported to 8.x-1.x.

Let’s target to 2.x first as a feature request.

I have not yet loaded in a browser to validate no unexpected/negative changes occur, though I would suspect the “worst” would now be a browser with an autofill integration might now pop-up a selector where it did not in the past.

Quick glance looks like this would also target the setup form. we might see auto-fillers populate that field now with the “old” code. Is there a way to indicate it’s a “new” token similar to “new-password”?

I added some more articles about this idea to the issue summary.

I think this feature is most valuable for sites that use SMS for sending the code, so might not be super valuable to the TFA module as it stands today.

@nvandijk I wonder why you added this to the TFAHotpValidation and TFATotpValidation but didn't add it to TfaSetupForm.php nor TfaDisableForm.php? It seems like it should be added in those 4 places instead of just the 2?

@greggles, I was unsure of which branch to create a fork from, so mostly quickly added the fields I saw, apparently missing some of them. I saw the functionality was rewritten in the 2.x branch so did not take much time to create a 'proof of concept'.
Thanks for adding the links, I found the web.dev article as well about the SMS functionality. However when reading the technique specification for the autocomplete attribute, you will find it brings more benefits to some users. https://www.w3.org/WAI/WCAG21/Techniques/html/H98.

@cmlara There is not a new- or old- prefix available for the one-time-code value sadly.

The good thing is that this feature seems to be used in 94% of the current browser market share: https://caniuse.com/?search=one-time-code

I'd say that is enough to consider this ready for being used.