search

Yubico / yubioath-flutter

Yubico Authenticator for Desktop (Windows, macOS and Linux) and Android
https://developers.yubico.com/yubioath-flutter/
Apache License 2.0
983 stars 134 forks source link

[Bug] v7.0.0 - Expired TOTP codes still visible #1647

Open MrMase opened 2 weeks ago

MrMase commented 2 weeks ago

Issue type Bug report

Description When a TOTP code is generated from the app using click and hold from list after the TOPT code expires the UI leaves the code still visible instead of reverting back to the standard UI symbol. The impact of this is that should another party see the screen it would be possible to tell which accounts had recently been accessed as this stays present until either navigating to another Yubikey or fully closing the program.

Steps to reproduce and other useful info

  1. Open Yubico Authenticator
  2. Select Device
  3. Unlock Device if protected by code
  4. Click and hold on a records touch symbol
  5. Press Yubikey button
  6. Code copies to Keyboard and timer counts down
  7. Once timer expired generated code remains on screen and does not revert

Technical information Operating System: Windows 10 Yubico Authenticator Version: 7.0.0

MrMase commented 2 weeks ago

Just for clarity this is a seperate issue to #1648 raised where behaviour is different but both issues exist on the same system when both keys plugged in.

dainnilsson commented 2 weeks ago

This is by design to avoid removing codes which are still being typed by the user. The validating server will usually allow a code for several seconds after it expires to allow for the time it takes a user to enter and submit it, rather than fail and force the user to generate a new code. An expired code that is still visible in the app after more than a few seconds will not be valid for use, which is why the app will indicate that it is expired so that the user can generate a new one.

MrMase commented 6 days ago

This is by design to avoid removing codes which are still being typed by the user. The validating server will usually allow a code for several seconds after it expires to allow for the time it takes a user to enter and submit it, rather than fail and force the user to generate a new code. An expired code that is still visible in the app after more than a few seconds will not be valid for use, which is why the app will indicate that it is expired so that the user can generate a new one.

The expired code part makes sense and understandable, thanks for clearing that up. However the privacy portion of the post is still a valid concern, perhaps look to remove the expired code back to default icon after say 30 seconds when the code would definately no longer be valid, however would only affect users who use the require Touch feature given expired codes do not show for those constantly cycling their codes so whilst having less security on the physical device would not have the same privacy of use concern.