Closed GoogleCodeExporter closed 9 years ago
Physical access is always difficult to counter. The app needs to store the key
in a retrievable way, so there hashes are not an option like for user
authentication. In order to increase security there would be the 2
possibilities:
1. add an password with which the key is encrypted. Personally this would be a
too great hassle for me to type an password each time I want to get an OTP
2. Hide and make the key uneditable. I implemented this solution in the
attached version. The only drawback is that if you want to change the key you
need to delete the account and create a new one.
Original comment by Rafael.B...@gmail.com
on 6 Nov 2011 at 9:50
Attachments:
Thanks for your quick reply.
I tested "GoogleAuthenticatorJ2ME_1.0.1 no password editing.jar". As you
stated, this new version no longer allows editing of the key, which I think is
ok and is a small price to pay for increased security. But it still shows the
key in plain text on the screen. Could you make it so it is not shown on
device's screen?
P.S. I would fix it myself but unfortunately I don't know java :(
Original comment by ain...@gmail.com
on 7 Nov 2011 at 11:10
I don't know why it still showed the key in plain text. Today I had bit of time
and removed the secret key textbox from the edit account screen. This should do
it.
Original comment by Rafael.B...@gmail.com
on 9 Nov 2011 at 11:57
Attachments:
Tested the latest version, now it works fine and the issue is solved.
Many thanks!
Original comment by ain...@gmail.com
on 9 Nov 2011 at 2:04
Your are welcome. I uploaded this version as Release 1.1.0 for everyone to
download
Original comment by Rafael.B...@gmail.com
on 9 Nov 2011 at 2:26
Original issue reported on code.google.com by
ain...@gmail.com
on 6 Nov 2011 at 4:17