FreeOTPPlus icon indicating copy to clipboard operation
FreeOTPPlus copied to clipboard

Published 20 hours ago verified publisher icon helloworld1

[Feature request] Do not show secrets in the UI

Open andyat opened this issue 4 years ago • 3 comments

On the main screen when I select an entry -> Edit it shows all the info including secret. Why is secret shown? It makes it too easy to peek the secret and make a copy of the token. As I understand 2fa, the secret is supposed to be transferred to the app once during 2fa setup and then never be exposed.

This is along the lines with issues #132 and #128, but unlike those UI should be very easy to fix.

andyat avatar Oct 22 '21 01:10 andyat

Are there any use cases that wanting to see the secret in order to transfer a token to another app / phone? If not, we can simply remove the secret field

helloworld1 avatar Oct 22 '21 23:10 helloworld1

For transferring there are import/export commands. Besides, transferring is not supposed to be done often (if at all).

I realize there are other ways to steal secrets from the app (such as access app data via adb, where secrets are stored in plain text, or making export to an unencrypted file), still those ways require more effort and time for an adversary comparing to just looking in the UI.

andyat avatar Oct 23 '21 01:10 andyat

I am using FreeOTP Plus because of this feature: to show the secret key. This is important when you need to use another phone. All comes to this. No need when all goes right. But when you lose your phone, or it is broken, you understand your pain. This display of the secret key allows writing it on a paper in a safe place. Then if the phone breaks, you can install FreeOTP Plus on another one and easily install it and use it, no hassle. I still have some locked TOTP in my old phone with Google Auth that I cannot move to my new phone, the store does not have this feature and they do not allow to reset this TOTP, it is one time done and if you didn't save it, no way back... Also usually you cannot show this secret key from your account, the feature does usually not exist. So you have no mean to backup it at all. And not everyone is ready to send it to google drive, nor copy it in a file in clear plain text. Google Auth does not allow to do this, and you are quickly completely stuck for weeks to recover your TOTPs, calling all stores for all of them, verifying identity, a real mess!

I see this feature as mandatory, really. However, it would be good to hide it with asterisks and a little button to the right to show it, so that we don't see it too easily, or by screen capture from a hacker.

gelavat avatar Jan 14 '22 12:01 gelavat