Giray Posted March 31, 2021 Posted March 31, 2021 (edited) Nowadays with virtual meetings, I sometimes show my screen during a call. If I have to go to the Admin CP, and I have to sign in, the two-step verification window is now visible to all. As I type in my challenge answer, everyone gets to see it. Considering it's a form of password, wouldn't it make sense to at least have the option to hide cover the answer with dots like a password? Not mission critical, but I think it would add some security comfort. Thx. Edited March 31, 2021 by Giray
Nathan Explosion Posted March 31, 2021 Posted March 31, 2021 I am going to be that guy.....is there actually any benefit to this request? How long does the token live? Do the people on the meeting also know your password at that EXACT moment that token is valid? If so, you have other things to worry about. SUBRTX 1
Giray Posted March 31, 2021 Author Posted March 31, 2021 It's actually permanent. I type it in every single time I have to log into my admin cp. In my case I use my favorite sports team. So, again, in the interest of max security, now everyone knows what I would answer. Is it a critical security flaw? Probably not. But it does feel awkward to type what is meant to be a private phrase openly. If one uses the converse logic, one could argue that it's not necessary to hide passwords either.
Management Featured Comment Charles Posted March 31, 2021 Management Featured Comment Posted March 31, 2021 @Giray is referring to the challenge questions. You are right though, we can make that a hidden input. Jordan Miller and Giray 1 1
Nathan Explosion Posted March 31, 2021 Posted March 31, 2021 And there is the fleshing out of the request: you are referring to the Q&A functionality here. I will be honest and say that you should implement Google Authenticator instead as your second-step for the ACP, as it isn't static. Giray, ptprog, CoffeeCake and 1 other 4
Featured Comment Adriano Faria Posted March 31, 2021 Featured Comment Posted March 31, 2021 18 minutes ago, Giray said: Nowadays with virtual meetings, I sometimes show my screen during a call. If I have to go to the Admin CP, and I have to sign in, the two-step verification window is now visible to all. As I type in my challenge answer, everyone gets to see it. Considering it's a form of password, wouldn't it make sense to at least have the option to hide cover the answer with dots like a password? Not mission critical, but I think it would add some security comfort. Thx. I developed a quick plugin last year for this matter: Giray and Jordan Miller 1 1
Giray Posted March 31, 2021 Author Posted March 31, 2021 Thanks Nathan. I actually was using it but it just got too tedious. I'm in and out of the back and using GA every single time was driving me nuts. Not to mention that my two other admins threatened to feed me mushrooms (I hate mushrooms 🤐). But I agree, better. Thanks to all. Like I said, not mission critical, but just a little security tweak.
Adriano Faria Posted March 31, 2021 Posted March 31, 2021 It simply changes from input text to password.
Giray Posted March 31, 2021 Author Posted March 31, 2021 Just now, Adriano Faria said: I developed a quick plugin last year for this matter: Now you read my mind? A year in advance. Adriano, I fear you. Jordan Miller and Adriano Faria 1 1
CoffeeCake Posted March 31, 2021 Posted March 31, 2021 3 hours ago, Giray said: I actually was using it but it just got too tedious. I'm in and out of the back and using GA every single time was driving me nuts. Not to mention that my two other admins threatened to feed me mushrooms (I hate mushrooms 🤐). But I agree, better. You can enable the TOTP token without forcing others to use it, yet this is also a problem from the perspective of looking up your member record in ACP, as the questions and answers are visible in plaintext. See: Giray 1
Recommended Posts
Posted by Charles,
2 reactions
Go to this post
Posted by Adriano Faria,
2 reactions
Go to this post