Authenticator

Hide TOTP tokens unless clicked

Bug #1569236 reported by Данило Шеган
6
This bug affects 1 person
Affects Status Importance Assigned to Milestone
Authenticator
New
Undecided
Unassigned

Bug Description

With one of the recent updates, I noticed there's an option to generate TOTP tokens as well (eg. for github): thanks!

However, I really dislike the default behavior of showing the current token when the last one expires (I love the count-down dial, though!):
 1. It's a security risk in that you are showing a regenerated token continuously, and someone who might be looking over your shoulder can get a number of sequential tokens to help in finding the master key, even though you had no plan to use any of them
 2. It's a distracting UX: I generally don't log in at the same time into different systems using the token, so it's easier to tell the current token apart if it's the only one showing the digits

What I propose would be to:
 a. Hide the TOTP token by default
 b. Uncover it on tap
 c. Hide it when it expires (alternatively, keep it shown but coloured differently until tapped again)

At the very least, I'd like to have an option to hide them (eg. tapping after it's shown).

Let me know what you think :)

Revision history for this message
Michael Zanetti (mzanetti) wrote :

The problem why I'm not happy about this suggestion is because the time countdown does not start when the user wants, but it is a fixed time interval. If the user has to only enable it manually, he'll tap on it just to see that the time is running out. Wait for a little more, and then press again. If the code is directly visible, the user can more quickly decide if this code can be used or not.

Revision history for this message
Данило Шеган (danilo) wrote :

That is a good point, but I was under the impression that most TOTP services are a bit lenient and will take a token based on the previous or next time point (otherwise, time drift would hurt them all, especially those standalone TOTP devices like battery-powered bank tokens which don't have the benefit of the NTP/GPS/GSM network time sync like phones do).

To test my hypothesis, I've logged into github using a token after waiting for that one and the next one to "expire" (so, around 60s late). Because of this, you could even always keep it on-screen for 30 seconds and hide it afterwards.

If you don't do the above, there's still the UI problem that this one might disappear too quickly. But then just drop the expiration and make it behave just like the regular HOTP ones. I know you must love the way it looks, and I do too, but when using it, I hate it constantly changing and distracting me (not to mention the security risk). I am happy if it shows the stale token, but I don't want it to regenerate the new one.

It just seems like more bling than feature, even though I do like the blinginess, it really is useless distraction and risk. (In my humble opinion, of course; I am happy to hear from someone who uses it daily and disagrees)

To post a comment you must log in.
This report contains Public information  
Everyone can see this information.
Subscribing...

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.