ios-application icon indicating copy to clipboard operation
ios-application copied to clipboard

Published 20 hours ago verified publisher icon raivo-otp

TOTP codes are visible on app switcher

Open EspadaV8 opened this issue 3 years ago • 5 comments

Is your feature request related to a problem? Please describe. When switching between apps the list of 2FA codes should not be visible.

Describe the solution you'd like Similar to all banking apps or password manages, when switching apps the screen should be blanked so that the 2FA codes can’t be seen.

Describe alternatives you've considered A clear and concise description of any alternative solutions or features you've considered.

Additional context Add any other context or screenshots about the feature request here.

EspadaV8 avatar Apr 17 '21 13:04 EspadaV8

9F303D75-D695-4720-8667-7B015658045B

These are the codes that should be hidden

EspadaV8 avatar Apr 17 '21 13:04 EspadaV8

Hi @EspadaV8,

Could you provide some more details on why you would want them to be hidden?

You will only see the tokens if you've unlocked the app a few minutes before switching, so I am not seeing a security risk just yet.

Thanks, Tijme

tijme avatar Apr 28 '21 18:04 tijme

~I was originally thinking security (it would still be nice for this), however, after using the app for a couple of weeks now I think it would help a lot when you have a number of TOTP added. Typing in a code from the app into my computer and looking away and back always takes a second or 2 to find the one I'm after again because it's just this long list of numbers all trying to grab my attention with their red colour highlight. Having to tap to reveal would mean the screen is a lot less busy and instantly give my eyes something to lock on to when looking back.~

Sorry, I thought I was replying to another thread. Yes, this was about the security of showing them while switching apps.

EspadaV8 avatar Apr 28 '21 20:04 EspadaV8

That’s not true. The codes are visible in the switcher once the app is opened and unlocked, and they remain visible (even after the lock out period). Also, when the app is opened (and it spins around before authentication), the codes are visible (then the authentication screen appears).

filmoreast avatar Sep 12 '21 18:09 filmoreast

One security risk is that someone could see the list of accounts after the Inactivity Lock period, and sometimes the names of the accounts themselves are sensitive. This is a screenshot showing the difference between Raivo OTP and the OTP Auth app. IMG_2355 - Copy

The OTP Auth app immediately blanks out the display and doesn't show any account names when you switch away from the app, but Raivo OTP doesn't.

LawHoo avatar Aug 17 '22 21:08 LawHoo

Will be fixed in the next release 🚀

tijme avatar Jun 20 '23 20:06 tijme