How to avoid auto-fill in 2FA fields

I’ve noticed that the browser plugin is entering my password in the field where the 2FA code has to be entered. To be more specific: user/pass are on one form, then the page loads further and shows the 2FA field.

Is there a way to avoid this behavior? The problem is, that the 2FA field is showing what you type in, so my password is being automatically entered and can be seen in the browser!

Generally, this type of issue can be solved by defining a custom field that has a blank value. If you post the URL, I could try to provide more detailed instructions.

Custom field?
I’ve looked into it right now, so I copied the custom filed name and put it in my bitwarden entry for this URL and left the content blank. This is nice, but the problem is that the password field at the beginning has the same name as the 2FA field! :frowning: So now the password field remains empty…

Any additional help?

Not unless you can share the URL.

You can’t do much without a proper account there… anyway, here you go:

Create a custom field with the name token_code, and a value that is blank.


1 Like

Why “token_code” and not “id_password”?
Also: does it matter if the custom field is “hidden” or not?

This is the HTML code used for the 2FA input field on the site:

<input type="text" name="token_code" id="id_password">

Bitwarden matches input fields based on the values of the element attributes id, name, aria-label, or placeholder (in that order of prioritization), so if two fields have the same id value (e.g., “id_password”, as for the password and 2FA fields on that site), then the fields can still be distinguished by their name attributes (“password” and “token_code”, respectively, for your login form).

I would recommend just creating a custom field of the “Text” type for this use (auto-filling a blank value), since there is nothing sensitive about the blank field value. You could use the “Hidden” type if you prefer, but there would be no benefit to doing so.

1 Like

Sorry to bother again, but for some weird reason since a couple of days the MFA field is automatically filled with some crap (a string, which is always the same). I looked into the relevant Bitwarden vault entry, but there’s no such information stored.
What could this be?

Are you referring to the same website ( Did you implement the empty custom field named token_code as recommended above?

If so, I am unable to reproduce the behavior that you are now describing.

When you get to the MFA input page (“Input Security Code”), what is the number shown in the badge counter overlayed in the corner of the Bitwarden browser extension icon at the top of your browser? Is it just 1, as shown below, or a higher number?


Also, could you please post a screenshot showing the token_code custom field as defined in your vault entry for It should look something like this when you view the vault item details:


Yes, I’m referring to the same website
I implemented the custom field like you recommended and it worked like a charm initially. I didn’t change anything at all since then.

It’s showing 3:
This is OK, because I do have more than one login.

Here it is:

What I just noticed, is that it doesn’t happen on my MacBook Pro’s Brave instance, but it happens on my Win11 PC with Brave. Maybe something got stuck on the Win11 Brave installation? Any way to somehow clear everything related to in Brave? Or even related to


Did you disable your browser’s inbuilt form fill?

1 Like

I would suggest doing the following in your Windows 11 Brave browser:

  1. Go to Settings > Auto-fill, and enable the option “Make Bitwarden your default password manager” by checking its checkbox. Is the problem still occurring? If so, continue.

  2. For each of the three vault items (accounts) that match on the or sites, check all passwords and custom fields to see if any of the field values match the “crap” string that is getting auto-filled on the MFA screen. If not, continue.

  3. Go to Settings > Auto-fill, and disable the option “Auto-Fill on Page Load” by unchecking its checkbox. Go to the problematic Fortinet site, auto-fill your username and password using the keyboard shortcut Ctrl+Shift+L, and then proceed to the MFA screen by clicking Log In. Is the “crap” string still getting automatically auto-filled at the MFA prompt? If not, continue.

  4. Uninstall the Bitwarden browser extension, and then re-install the browser extension.

Please report the results of all of the above tests.

Yes, I did disable it.

Hi. The issue does not occur anymore… no clue what changed, except for the regular Brave browser upgrade.