Giray Posted March 31, 2021 Share Posted March 31, 2021 (edited) Nowadays with virtual meetings, I sometimes show my screen during a call. If I have to go to the Admin CP, and I have to sign in, the two-step verification window is now visible to all. As I type in my challenge answer, everyone gets to see it. Considering it's a form of password, wouldn't it make sense to at least have the option to hide cover the answer with dots like a password? Not mission critical, but I think it would add some security comfort. Thx. Edited March 31, 2021 by Giray Link to comment Share on other sites More sharing options...
Nathan Explosion Posted March 31, 2021 Share Posted March 31, 2021 I am going to be that guy.....is there actually any benefit to this request? How long does the token live? Do the people on the meeting also know your password at that EXACT moment that token is valid? If so, you have other things to worry about. SUBRTX 1 Link to comment Share on other sites More sharing options...
Giray Posted March 31, 2021 Author Share Posted March 31, 2021 It's actually permanent. I type it in every single time I have to log into my admin cp. In my case I use my favorite sports team. So, again, in the interest of max security, now everyone knows what I would answer. Is it a critical security flaw? Probably not. But it does feel awkward to type what is meant to be a private phrase openly. If one uses the converse logic, one could argue that it's not necessary to hide passwords either. Link to comment Share on other sites More sharing options...
Management Featured Comment Charles Posted March 31, 2021 Management Featured Comment Share Posted March 31, 2021 @Giray is referring to the challenge questions. You are right though, we can make that a hidden input. Giray and Jordan Miller 1 1 Link to comment Share on other sites More sharing options...
Nathan Explosion Posted March 31, 2021 Share Posted March 31, 2021 And there is the fleshing out of the request: you are referring to the Q&A functionality here. I will be honest and say that you should implement Google Authenticator instead as your second-step for the ACP, as it isn't static. Giray, Aiwa, CoffeeCake and 1 other 4 Link to comment Share on other sites More sharing options...
Featured Comment Adriano Faria Posted March 31, 2021 Featured Comment Share Posted March 31, 2021 18 minutes ago, Giray said: Nowadays with virtual meetings, I sometimes show my screen during a call. If I have to go to the Admin CP, and I have to sign in, the two-step verification window is now visible to all. As I type in my challenge answer, everyone gets to see it. Considering it's a form of password, wouldn't it make sense to at least have the option to hide cover the answer with dots like a password? Not mission critical, but I think it would add some security comfort. Thx. I developed a quick plugin last year for this matter: Giray and Jordan Miller 1 1 Link to comment Share on other sites More sharing options...
Giray Posted March 31, 2021 Author Share Posted March 31, 2021 Thanks Nathan. I actually was using it but it just got too tedious. I'm in and out of the back and using GA every single time was driving me nuts. Not to mention that my two other admins threatened to feed me mushrooms (I hate mushrooms 🤐). But I agree, better. Thanks to all. Like I said, not mission critical, but just a little security tweak. Link to comment Share on other sites More sharing options...
Adriano Faria Posted March 31, 2021 Share Posted March 31, 2021 It simply changes from input text to password. Link to comment Share on other sites More sharing options...
Giray Posted March 31, 2021 Author Share Posted March 31, 2021 Just now, Adriano Faria said: I developed a quick plugin last year for this matter: Now you read my mind? A year in advance. Adriano, I fear you. Jordan Miller and Adriano Faria 1 1 Link to comment Share on other sites More sharing options...
CoffeeCake Posted March 31, 2021 Share Posted March 31, 2021 3 hours ago, Giray said: I actually was using it but it just got too tedious. I'm in and out of the back and using GA every single time was driving me nuts. Not to mention that my two other admins threatened to feed me mushrooms (I hate mushrooms 🤐). But I agree, better. You can enable the TOTP token without forcing others to use it, yet this is also a problem from the perspective of looking up your member record in ACP, as the questions and answers are visible in plaintext. See: Giray 1 Link to comment Share on other sites More sharing options...
Jordan Miller Posted April 1, 2021 Share Posted April 1, 2021 Loving all the teamwork in here 🥲 Link to comment Share on other sites More sharing options...
Recommended Posts
Posted by Charles,
2 reactions
Go to this post
Posted by Adriano Faria,
2 reactions
Go to this post