{"id":48739,"date":"2025-08-01T16:26:20","date_gmt":"2025-08-01T20:26:20","guid":{"rendered":"https:\/\/mjtsai.com\/blog\/?p=48739"},"modified":"2025-09-25T16:44:39","modified_gmt":"2025-09-25T20:44:39","slug":"nsautofillrequirestextcontenttypeforonetimecodeonmac","status":"publish","type":"post","link":"https:\/\/mjtsai.com\/blog\/2025\/08\/01\/nsautofillrequirestextcontenttypeforonetimecodeonmac\/","title":{"rendered":"NSAutoFillRequiresTextContentTypeForOneTimeCodeOnMac"},"content":{"rendered":"<p><a href=\"https:\/\/hachyderm.io\/@rmondello\/114937340699239807\">Ricky Mondello<\/a>:<\/p>\n<blockquote cite=\"https:\/\/hachyderm.io\/@rmondello\/114937340699239807\"><p>As you&rsquo;ve undoubtedly heard by now, macOS Tahoe brings Security Code AutoFill of delivered codes (via Messages and Mail) to <em>all<\/em> Mac apps, including web browsers, without text field content type annotations. This matches the iOS behavior since iOS 12.<\/p><p>We&rsquo;ve published some <a href=\"https:\/\/developer.apple.com\/documentation\/bundleresources\/information-property-list\/nsautofillrequirestextcontenttypeforonetimecodeonmac\">documentation<\/a> about this new behavior, as well as how Mac apps can opt out of being eligible for one-time codes (without annotating fields) via a new <tt>Info.plist<\/tt> key.<\/p><\/blockquote>\n\n<p>I don&rsquo;t really understand why this is opt-out, since it seems like it isn&rsquo;t relevant to 99% of the text fields on my Mac. Are the expectations so low about apps that would benefit doing the work to opt-in? However, it&rsquo;s <em>great<\/em> news that this system is being opened up to third-party browsers and apps.<\/p>\n\n<p>Previously:<\/p>\n<ul>\n<li><a href=\"https:\/\/mjtsai.com\/blog\/2019\/10\/21\/safari-security-code-autofill\/\">Safari Security Code AutoFill<\/a><\/li>\n<\/ul>\n\n<p id=\"nsautofillrequirestextcontenttypeforonetimecodeonmac-update-2025-08-05\">Update (<a href=\"#nsautofillrequirestextcontenttypeforonetimecodeonmac-update-2025-08-05\">2025-08-05<\/a>): <a href=\"https:\/\/mastodon.social\/@robinkunde@hachyderm.io\/114956784443112032\">Robin Kunde<\/a>:<\/p>\n<blockquote cite=\"https:\/\/mastodon.social\/@robinkunde@hachyderm.io\/114956784443112032\">\n<p>I&rsquo;m a little confused by Ricky&rsquo;s post. IMO 2FA autofill in apps was always opt-in since you had to designate a content type for it to work.<\/p>\n<\/blockquote>\n\n<p id=\"nsautofillrequirestextcontenttypeforonetimecodeonmac-update-2025-09-24\">Update (<a href=\"#nsautofillrequirestextcontenttypeforonetimecodeonmac-update-2025-09-24\">2025-09-24<\/a>): <a href=\"https:\/\/x.com\/mitchellh\/status\/1967324131801915875\">Mitchell Hashimoto<\/a>:<\/p>\n<blockquote cite=\"https:\/\/x.com\/mitchellh\/status\/1967324131801915875\"><p>Everything is open source if you try hard enough. (Trying to find the source of a pathological performance issue stemming from AppKit only on macOS 26. I&rsquo;m pretty sure it&rsquo;s a macOS 26 bug but given this is shipping, I need to find a workaround).<\/p><p>[&#8230;]<\/p><p>First reference to &ldquo;NSAutoFillHeuristicControllerEnabled&rdquo; I can find anywhere on the internet.<\/p><\/blockquote>\n\n<p>Previously:<\/p>\n<ul>\n<li><a href=\"https:\/\/mjtsai.com\/blog\/2025\/09\/15\/macos-tahoe-26\/\">macOS Tahoe 26<\/a><\/li>\n<\/ul>\n\n<p id=\"nsautofillrequirestextcontenttypeforonetimecodeonmac-update-2025-09-25\">Update (<a href=\"#nsautofillrequirestextcontenttypeforonetimecodeonmac-update-2025-09-25\">2025-09-25<\/a>): <a href=\"https:\/\/x.com\/mitchellh\/status\/1970944369336475713\">Mitchell Hashimoto<\/a>:<\/p>\n<blockquote cite=\"https:\/\/x.com\/mitchellh\/status\/1970944369336475713\">\n<p>This reverse engineering work led its way to a fix in Chrome (subsequently Electron), with credit given back to me! Very cool to see, and happy to help the macOS ecosystem. I hope macOS fixes this huge issue soon.<\/p>\n<\/blockquote>","protected":false},"excerpt":{"rendered":"<p>Ricky Mondello: As you&rsquo;ve undoubtedly heard by now, macOS Tahoe brings Security Code AutoFill of delivered codes (via Messages and Mail) to all Mac apps, including web browsers, without text field content type annotations. This matches the iOS behavior since iOS 12.We&rsquo;ve published some documentation about this new behavior, as well as how Mac apps [&hellip;]<\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"open","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"apple_news_api_created_at":"2025-08-01T20:26:22Z","apple_news_api_id":"7458e918-2842-49b4-898d-ca7f54c58992","apple_news_api_modified_at":"2025-09-25T20:44:41Z","apple_news_api_revision":"AAAAAAAAAAAAAAAAAAAAAg==","apple_news_api_share_url":"https:\/\/apple.news\/AdFjpGChCSbSJjcp_VMWJkg","apple_news_coverimage":0,"apple_news_coverimage_caption":"","apple_news_is_hidden":false,"apple_news_is_paid":false,"apple_news_is_preview":false,"apple_news_is_sponsored":false,"apple_news_maturity_rating":"","apple_news_metadata":"\"\"","apple_news_pullquote":"","apple_news_pullquote_position":"","apple_news_slug":"","apple_news_sections":"\"\"","apple_news_suppress_video_url":false,"apple_news_use_image_component":false,"footnotes":""},"categories":[4],"tags":[69,456,30,2742,71,48,1393,2090,2735],"class_list":["post-48739","post","type-post","status-publish","format-standard","hentry","category-programming-category","tag-cocoa","tag-googlechrome","tag-mac","tag-macos-tahoe-26","tag-programming","tag-security","tag-short-message-service-sms","tag-two-factor-authentication-2fa","tag-web-browser"],"apple_news_notices":[],"_links":{"self":[{"href":"https:\/\/mjtsai.com\/blog\/wp-json\/wp\/v2\/posts\/48739","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/mjtsai.com\/blog\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/mjtsai.com\/blog\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/mjtsai.com\/blog\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/mjtsai.com\/blog\/wp-json\/wp\/v2\/comments?post=48739"}],"version-history":[{"count":4,"href":"https:\/\/mjtsai.com\/blog\/wp-json\/wp\/v2\/posts\/48739\/revisions"}],"predecessor-version":[{"id":49371,"href":"https:\/\/mjtsai.com\/blog\/wp-json\/wp\/v2\/posts\/48739\/revisions\/49371"}],"wp:attachment":[{"href":"https:\/\/mjtsai.com\/blog\/wp-json\/wp\/v2\/media?parent=48739"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/mjtsai.com\/blog\/wp-json\/wp\/v2\/categories?post=48739"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/mjtsai.com\/blog\/wp-json\/wp\/v2\/tags?post=48739"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}