On Sun, 2014-10-05 at 06:10 +0200, Bernd Eckenfels wrote:
Am Fri, 03 Oct 2014 08:31:36 -0400
schrieb Nathaniel McCallum <npmccallum(a)redhat.com>:
> In any case, shared accounts should always be discouraged.
Agreed, but there are also other usescases: I have shared my
secrets/tokens on multiple (own) devices. I did that by copying the
code, but using a qr-code would have worked as well. In the case of
FreeOTP I think you cannot see/copy the code (which is good for
confidentiality but bad for availability).
However I think the risk that somebody quickly steals a code with this
function is enough to avoid it. (Maybe when a PIN is required it is
fine).
After giving this some thought, I think this may be a worthwhile
feature. However, there are some caveats.
First, this should only be implemented for TOTP tokens.
Second, I would want token encryption w/ PIN to be implemented. This
would require an attacker who wants to copy your token secret to enter
the PIN first.
Third, I want all new features for FreeOTP to be implemented for both
iOS and Android so that the apps are kept in sync.
Nathaniel