Nowadays with virtual meetings, I sometimes show my screen during a call. If I have to go to the Admin CP, and I have to sign in, the two-step verification window is now visible to all. As I type in my challenge answer, everyone gets to see it. Considering it's a form of password, wouldn't it make sense to at least have the option to hide cover the answer with dots like a password?

Not mission critical, but I think it would add some security comfort.

Thx.

Edited March 31, 20214 yr by Giray

I am going to be that guy.....is there actually any benefit to this request? How long does the token live? Do the people on the meeting also know your password at that EXACT moment that token is valid? If so, you have other things to worry about.

It's actually permanent. I type it in every single time I have to log into my admin cp. In my case I use my favorite sports team. So, again, in the interest of max security, now everyone knows what I would answer. Is it a critical security flaw? Probably not. But it does feel awkward to type what is meant to be a private phrase openly. If one uses the converse logic, one could argue that it's not necessary to hide passwords either.

@Giray is referring to the challenge questions. You are right though, we can make that a hidden input.

And there is the fleshing out of the request: you are referring to the Q&A functionality here.

I will be honest and say that you should implement Google Authenticator instead as your second-step for the ACP, as it isn't static.

18 minutes ago, Giray said:

Nowadays with virtual meetings, I sometimes show my screen during a call. If I have to go to the Admin CP, and I have to sign in, the two-step verification window is now visible to all. As I type in my challenge answer, everyone gets to see it. Considering it's a form of password, wouldn't it make sense to at least have the option to hide cover the answer with dots like a password?

Not mission critical, but I think it would add some security comfort.

Thx.

I developed a quick plugin last year for this matter:

 

Thanks Nathan. I actually was using it but it just got too tedious. I'm in and out of the back and using GA every single time was driving me nuts. Not to mention that my two other admins threatened to feed me mushrooms (I hate mushrooms 🤐). But I agree, better.

Thanks to all. Like I said, not mission critical, but just a little security tweak.

It simply changes from input text to password.

Just now, Adriano Faria said:

I developed a quick plugin last year for this matter:

 

Now you read my mind? A year in advance. Adriano, I fear you.

3 hours ago, Giray said:

I actually was using it but it just got too tedious. I'm in and out of the back and using GA every single time was driving me nuts. Not to mention that my two other admins threatened to feed me mushrooms (I hate mushrooms 🤐). But I agree, better.

You can enable the TOTP token without forcing others to use it, yet this is also a problem from the perspective of looking up your member record in ACP, as the questions and answers are visible in plaintext.

See:

 

Loving all the teamwork in here 🥲