Comments (8)
You are able to do this by clicking "Require Touch" when adding a code. This will 'hide' the codes until you 'touch' the YubiKey.
Unfortunately, I don't believe it is possible to edit this setting after the code has been added (as you are not able to see/edit the secret key unlike other apps because this is the most secure way of storing the secret keys).
However, you can enable this by adding the key again (requires a unique name I believe), ticking the "Requires Touch" button, and then once you have confirmed it is working, delete the old key.
Hope this helps.
from yubioath-flutter.
I have attached the image, so you see what I am talking about.
I don't think this would be a big issue to implement.
from yubioath-flutter.
Since OTPs are used as a second factor, are single use, and generally only valid for 30 seconds, we are not likely to implement this change unless there is significant demand for it.
As @del-leehopper mentioned, if you have a credential set to require touch (unfortunately this does have to be set when initially adding the credential, it cannot be done afterward), the code will not be generated unless you explicitly activate it, so that is an option you have.
from yubioath-flutter.
@arodier Did you try what I suggested? It is basically what you asked for, but even more secure.
Just obfuscating the codes is only useful if someone is sitting over your shoulder and is able to input one of your codes within 30 seconds. If someone has remote access to your view the screen on your device, it's likely they will also have control over that device, and therefore they can "tap" (as you say) in the app in the same way you can (same applies for Desktop/Mobile, etc.)
By using the "require touch" function, someone must physically have access to the YubiKey to view/generate a code. I do this for all my codes.
from yubioath-flutter.
If someone has remote access to your view the screen on your device, it's likely they will also have control over that device
You may be right, or not. Some applications, with the "Display Over Other Apps" permissions, don't need root access, but are just able to read the screen content. All they'd need is a code.
By using the "require touch" function, someone must physically have access to the YubiKey to view/generate a code. I do this for all my codes.
Thanks, I just tried, it is good, albeit slightly less convenient — which is absolutely normal and expected — to use.
I am happy to close this ticket, albeit other open source applications are doing this fine.
To be honest, I also find this more readable.
from yubioath-flutter.
You are right that they may be able to read the contents of the screen without having access to control the device. My point was that if security was important to you, then there is a trade off with convenience.
For example all other "apps" store the secret key within the application. This means (in theory) someone could get access to that security key without even needing to open the application and "tap". The YubiKey stores the key and the device requests a code, which is much more secure but slightly less convenient - a trade-off I am happy with.
The future is FIDO which is both convenient and secure (at least more secure than TOTP). I just can't wait for others to jump on board as I currently have 3 in-use YubiKeys because of the TOTP limit per key (32).
Glad you are happy in the end (I think?).
from yubioath-flutter.
This means (in theory) someone could get access to that security key without even needing to open the application and "tap".
Yes, I know, this is why I wanted to use the Yubikey I have.
Glad you are happy in the end (I think?).
I think it would be a nice improvement (both in terms of security and readability), but I understand you may be limited in resources. You can close it if you don't have the time to implement it.
from yubioath-flutter.
With regards to "time to implement it", that's a question for @dainnilsson
However, with regards to if it should be implemented - I will put my 2 pence in and suggest it isn't. I think 'most people' will assume that by hiding the codes, they are somehow much more secure (granted they are slightly more secure but not considerably). Plus it confuses the difference between hiding the codes and hiding them plus requiring a touch. However, again, this is more of a decision for @dainnilsson and will probably park it unless others request it.
from yubioath-flutter.
Related Issues (20)
- New Logo :3 HOT 1
- CWE-212: Improper Removal of Sensitive Information HOT 1
- Asked for OATH password on Android? HOT 2
- Move strings from logging.dart to arb files HOT 1
- Change the method of enabling translations HOT 1
- On second launch, app shows a blank screen with random black and white squares on Windows 11 HOT 3
- Cannot open application HOT 1
- [Android] Manual add: account name field as email address HOT 6
- Automatic Copy to Clipboard HOT 2
- [Law] Incorrect License HOT 2
- When unlocking Yubikey's TOTP account with tap to unlock the blurred background overlay doesn't go away on tap on v6.3.1 / v6.3.0 HOT 11
- Yubico Authenticator cannot be set as default app for nfc key HOT 7
- crashing on KDE HOT 5
- Corporate MSI Install Advice Needed HOT 1
- macOS App Store builds have quarantine bit set? HOT 1
- ERROR com.yubico.authenticator.Log - Failed to add account HOT 2
- Spinning circle instead of authenticator accounts when using Yubikey NEO NFC HOT 7
- `pcscd` installation requires root privileges HOT 9
- bug: TOTP "Touch required" overlay not going away HOT 2
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from yubioath-flutter.