Autocomplete enabled in "https://app.passit.io/account/reset-password-verify...." backup codes
hello david, the backup code form while resetting pass is
<input _ngcontent-mbh-c1="" autofocus="" class="form-field__input ngrx-forms-invalid ngrx-forms-pristine ngrx-forms-unsubmitted ngrx-forms-touched" spellcheck="false" type="text" id="Reset Password Form.code">
it should include autocomplete="off" so the browser would disable autocomplete in this form. Because,when autocomplete is enabled, if user used public computer to reset his password, the attacker can reach his backup code even if the user logged out because the backup codes is already stored locally.