Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

[Feature request] Do not show secrets in the UI #162

Open
andyat opened this issue Oct 22, 2021 · 3 comments
Open

[Feature request] Do not show secrets in the UI #162

andyat opened this issue Oct 22, 2021 · 3 comments

Comments

@andyat
Copy link

andyat commented Oct 22, 2021

On the main screen when I select an entry -> Edit it shows all the info including secret. Why is secret shown? It makes it too easy to peek the secret and make a copy of the token. As I understand 2fa, the secret is supposed to be transferred to the app once during 2fa setup and then never be exposed.

This is along the lines with issues #132 and #128, but unlike those UI should be very easy to fix.
@helloworld1
Copy link
Owner

Are there any use cases that wanting to see the secret in order to transfer a token to another app / phone? If not, we can simply remove the secret field

@andyat
Copy link
Author

andyat commented Oct 23, 2021

For transferring there are import/export commands. Besides, transferring is not supposed to be done often (if at all).

I realize there are other ways to steal secrets from the app (such as access app data via adb, where secrets are stored in plain text, or making export to an unencrypted file), still those ways require more effort and time for an adversary comparing to just looking in the UI.

@gelavat
Copy link

gelavat commented Jan 14, 2022

I am using FreeOTP Plus because of this feature: to show the secret key. This is important when you need to use another phone. All comes to this. No need when all goes right. But when you lose your phone, or it is broken, you understand your pain. This display of the secret key allows writing it on a paper in a safe place. Then if the phone breaks, you can install FreeOTP Plus on another one and easily install it and use it, no hassle. I still have some locked TOTP in my old phone with Google Auth that I cannot move to my new phone, the store does not have this feature and they do not allow to reset this TOTP, it is one time done and if you didn't save it, no way back... Also usually you cannot show this secret key from your account, the feature does usually not exist. So you have no mean to backup it at all. And not everyone is ready to send it to google drive, nor copy it in a file in clear plain text.
Google Auth does not allow to do this, and you are quickly completely stuck for weeks to recover your TOTPs, calling all stores for all of them, verifying identity, a real mess!

I see this feature as mandatory, really. However, it would be good to hide it with asterisks and a little button to the right to show it, so that we don't see it too easily, or by screen capture from a hacker.

@trikaphundo trikaphundo mentioned this issue Oct 13, 2024
Open
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
3 participants
@helloworld1 @andyat @gelavat