NSAutoFillRequiresTextContentTypeForOneTimeCodeOnMac
As you’ve undoubtedly heard by now, macOS Tahoe brings Security Code AutoFill of delivered codes (via Messages and Mail) to all Mac apps, including web browsers, without text field content type annotations. This matches the iOS behavior since iOS 12.
We’ve published some documentation about this new behavior, as well as how Mac apps can opt out of being eligible for one-time codes (without annotating fields) via a new Info.plist key.
I don’t really understand why this is opt-out, since it seems like it isn’t relevant to 99% of the text fields on my Mac. Are the expectations so low about apps that would benefit doing the work to opt-in? However, it’s great news that this system is being opened up to third-party browsers and apps.
Previously:
Update (2025-08-05): Robin Kunde:
I’m a little confused by Ricky’s post. IMO 2FA autofill in apps was always opt-in since you had to designate a content type for it to work.
Update (2025-09-24): Mitchell Hashimoto:
Everything is open source if you try hard enough. (Trying to find the source of a pathological performance issue stemming from AppKit only on macOS 26. I’m pretty sure it’s a macOS 26 bug but given this is shipping, I need to find a workaround).
[…]
First reference to “NSAutoFillHeuristicControllerEnabled” I can find anywhere on the internet.
Previously:
Update (2025-09-25): Mitchell Hashimoto:
This reverse engineering work led its way to a fix in Chrome (subsequently Electron), with credit given back to me! Very cool to see, and happy to help the macOS ecosystem. I hope macOS fixes this huge issue soon.
5 Comments RSS · Twitter · Mastodon
True, it’s not relevant to most text fields, but how often do you receive these codes? On the rare occasion you do receive a code, you’re likely focused on, or about to focus on, the text field that needs it. I suspect opt-out is a reasonable default.
@Rob Yeah, that makes sense, and it’s not the end of the world if it offers auto-fill in the wrong field.
“Are the expectations so low about apps that would benefit doing the work to opt-in?”
Oh most definitely. The crossover between apps that only offer text or email-based 2FA and terrible apps written by big companies that don’t care abut the user experience is strong. Opt-out is the only way to make it useful.
@Rob Mayoff “but how often do you receive these codes”
Sure - but the system stays live as long as that is the last message you've received. So you login somewhere and then until someone sends you another message, that popup appears in every text field. It's beyond bizarre!
