whatwg / html

HTML Standard
https://html.spec.whatwg.org/multipage/
Other
8.16k stars 2.68k forks source link

Form input element should have an autocomplete attribute for numeric citizen/personal ID fields #5740

Open Avamander opened 4 years ago

Avamander commented 4 years ago

The need for such a field is primarily motivated by the increasing amount of websites that support login based on eIDAS (EU legislation). These websites ask for a citizen ID, national ID or personal identification number in order to initiate a next step in the login, signing or registration flow.

Here browsers currently lack a method to differentiate between an username, e-mail, a NID and a password. Including making things like autofill, determining the appropriate autocomplete attribute on phones, accessibility or password management much harder.

Minimum viable implementation would be having the new autocomplete attribute function similar to the number type. This would already make it much easier for screen readers, keyboards (on mobile devices) and for password managers to determine what should be entered. Future improvements could include things like additional validity checks that are for example country-specific (like date or url validates a few things).

Just for context, the number is usually very similar to the SSN, but it usually isn't something super confidential (as it's often published online).

Here's two examples. In both of these cases browsers are currently not aware that "Personal code" could be autofilled, that it could be managed by the password manager or that a numeric keyboard is preferred. Those are just a few examples I could quickly find that weren't behind a login wall and are in English.

  1. RIA Tara (Estonian goverment's central authentication system): https://tara.ria.ee/login?ui_locales=en
    If you click on "Mobile-ID" then you're displayed two fields, "Personal code" and "Phone number". If you click on "Smart-ID" then it displays only "Personal code".

  2. Swedbank: https://www.swedbank.ee/private
    If you click on "Mobile-ID" or "Smart-ID" then you're again asked for a NID and maybe a phone number.

There technically are methods to hint all this separately or it's possible for password managers and screen readers to have a workaround, but it really isn't nicely doable without a standardization effort. Just like the password autocomplete attribute significantly simplifies similar efforts.

annevk commented 4 years ago

How is it separate from username though? That is, why is <input autocomplete=username inputmode=numeric> not sufficient here?

Avamander commented 4 years ago

How is it separate from username though? That is, why is <input autocomplete=username inputmode=numeric> not sufficient here?

Firstly, because both and username and a NID might be asked at the same time. Then it's hard to differentiate between for automated systems.

The second aspect is that there's a possibility of improved UX with browsers giving instant feedback when a NID is malformed. Yes, similar functionality can be achieved with JS, but that could be said about a lot of form field types.

This is also a bit similar to the tel, technically that could just be <input autocomplete=username inputmode=numeric> but it isn't.

annevk commented 4 years ago

I don't think we would have added tel today (and you'd set autocomplete to tel I hope). The above two sites don't distinguish between username and NID, but it seems the Dutch's DigiD does (although the NID is not used for login).

It seems somewhat reasonable to add an autofill field for this.

@whatwg/forms @mnoorenberghe

domenic commented 4 years ago

I agree that autofill field is the right approach here and not a new input type.

josepharhar commented 4 years ago

By autofill do you mean a value for the autocomplete attribute? Like <input autocomplete="citizen-id">? Or would it look like <input autocomplete=on name="citizen-id">? I'm not super familiar with this feature, I never knew about the autocomplete attribute before this discussion.

This was started in a chrome bug which also has a bunch of discussion. I am hoping we can come to a decision in this issue.

Based on the discussion here it sounds like there are several requests and possible solutions:

Avamander commented 4 years ago

@josepharhar

Accessibility What exactly is wrong with the current accessibility?

It's a textual form field like most others at the moment. Things like inputmode=numeric or even labels aren't that common. If a field of this type were more standardized, things like screen readers could potentially be more helpful, or alternatively it would just make autofill work properly for everyone.

Password management I don't know how these things work, but if they are looking for an input type, then they could also look for autocomplete and related attributes, right?

Technically, but nothing does and it would be a workaround, compared to having a more standard way of specifying this type of form field.

josepharhar commented 4 years ago

It sounds like the issue is that websites aren't using inputmode and autocomplete simply because they aren't as obvious as type, which I don't think is a very strong argument for adding a new value for type, especially since this is a very particular use case for a particular type of ID rather than extremely widespread and fundamental ideas like number and email.

Perhaps we should do some sort of outreach to make these features more well known to web developers instead?

I'd still like to know more about exactly how we can improve autocomplete and/or autofill for this use case.

domenic commented 4 years ago

We could add a new autofill field, e.g. autocomplete="citizen-id-number". The issue is getting browsers to implement it. Is a browser going to open a dialog on installation asking people to type their citizen ID number, so that it can autofill it for them on a few select government sites? I find that doubtful...

Avamander commented 4 years ago

@josepharhar @domenic

especially since this is a very particular use case for a particular type of ID rather than extremely widespread and fundamental ideas like number and email. so that it can autofill it for them on a few select government sites?

The adoption varies tremendously based on the country, it might be nearly nonexistent in the US, but it's very widespread in multiple European countries. It's really doing the various systems a disservice saying "a few government sites". All of the banks, all of the government sites, even newspapers, craigslist-equivalents, hosting providers, I could really keep listing, those are not really "a few". The speed of such login methods being adopted will increase further in the coming years. I can say with 100% certainty FIDO2 and U2F functionality is a much more niche thing than this field would be.

Is a browser going to open a dialog on installation

Not on installation, but it does prompt me to save my credit card details or my address, there's really no fundamental difference here. It's not like the SSN you have to closely guard or fear identity theft.

josepharhar commented 4 years ago

Thanks for the context - I feel like autocomplete="citizen-id-number" could be good, but I still stand by my stance against adding a type just because it would be more obvious to developers than the autocomplete attribute.

jimmy-collazos commented 4 years ago

Please, consider other names like national-identification-number or "nin" (national identification number) because its more open to other identifications; like: citizens, permanent and temporary residents (emigrants)...

+1 to implement new input type (e.g.type="nin").

annevk commented 4 years ago

I guess the one thing we don't have an obvious solution for is asking for a username that happens to be such an identifier, but that also goes for asking for a username that happens to be an email address. We should probably track that separately if it's desirable.

Goldflow commented 2 months ago

Does anyone know if there's been any development on this, potentially in other places?