Comments (6)
mpchadwick
commented on July 22, 2024
1
@phoenix128 TIL the term "shoulder surfing". That being said I don't really agree with this. Even if you obscure the input in Magento it will be shown in plain text to the user on their 2FA device that they pull it from. Someone could also watch their key stroked on the keyboard. I use 2FA from many big providers like Google / GitHub and have never seen the 2FA input field obscured.
from security-package.
Leland
commented on July 22, 2024
1
@phoenix128 Any updates on this? Magento's implementation runs counter to every single other instance of 2FA that I've seen.
from security-package.
phoenix128
commented on July 22, 2024
Hello @mpchadwick ,
this is the expected behaviour. I understand your point, but I consider an obscured field slightly more secure than a clear field, even if we are dealing with a 2FA code.
I would like to avoid a shoulder surfing issue allowing the usage of the same code twice in the same time interval.
Does it make sense for you?
from security-package.
phoenix128
commented on July 22, 2024
I will discuss this internally.
from security-package.
ihor-sviziev
commented on July 22, 2024
+1 for showing 2FA code while you're typing it. People just doing mistakes, probably because of it all big companies not hiding it
from security-package.
phoenix128
commented on July 22, 2024
Feature already added to new release.
from security-package.
Related Issues (20)
- Captcha Modules do not contain CSP Whitelist for google HOT 4
- Paypal Recaptcha Disappear In Checkout HOT 4
- Email notification for 2FA configuration has a wrong link, which leads to 404 page HOT 3
- invisible recaptcha v3 validation does not validate score_threshold set in admin config HOT 1
- Allow use reCAPTCHA globally HOT 6
- Mark interfaces and blocks as API HOT 6
- Newly created admin users are unable to pass Two-Factor Authentication HOT 4
- Not able to use captcha multiple times in same page HOT 7
- Admin user 2FA provider preference not saving HOT 12
- Unable to Plugin to \Magento\TwoFactorAuth\Observer\ControllerActionPredispatch HOT 4
- Remove 2FA Force Provider "Use system value" checkbox HOT 3
- Disable 2fa auth for specifi user HOT 2
- ReCaptcha checkout config provider name conflicts with Braintree HOT 6
- Authy Remember Me Option HOT 1
- Errors with bulk API when ReCaptchaWebapiRest is enabled HOT 8
- test HOT 5
- Publish a new release of TwoFactorAuth extension HOT 2
- I have got an issue on admin frequently "You cannot proceed with such operation, your reCaptcha reputation is too low. HOT 6
- Duplicate reCAPTCHA validation breaks checkout success redirect after initial server error response HOT 6
- Wrong version in 1.1.3-p1 metapackage composer.json HOT 4
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from security-package.