Hide TOTP tokens unless clicked
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
Authenticator |
New
|
Undecided
|
Unassigned |
Bug Description
With one of the recent updates, I noticed there's an option to generate TOTP tokens as well (eg. for github): thanks!
However, I really dislike the default behavior of showing the current token when the last one expires (I love the count-down dial, though!):
1. It's a security risk in that you are showing a regenerated token continuously, and someone who might be looking over your shoulder can get a number of sequential tokens to help in finding the master key, even though you had no plan to use any of them
2. It's a distracting UX: I generally don't log in at the same time into different systems using the token, so it's easier to tell the current token apart if it's the only one showing the digits
What I propose would be to:
a. Hide the TOTP token by default
b. Uncover it on tap
c. Hide it when it expires (alternatively, keep it shown but coloured differently until tapped again)
At the very least, I'd like to have an option to hide them (eg. tapping after it's shown).
Let me know what you think :)
The problem why I'm not happy about this suggestion is because the time countdown does not start when the user wants, but it is a fixed time interval. If the user has to only enable it manually, he'll tap on it just to see that the time is running out. Wait for a little more, and then press again. If the code is directly visible, the user can more quickly decide if this code can be used or not.