Andotp: UI/UX: No way to single-tap to copy TOTP code pressing on the card

Created on 28 Feb 2020  路  12Comments  路  Source: andOTP/andOTP

Currently pressing on the card just unhides the code, to copy one has to press the "copy" button. I find it a bit annoying and would appreciate if I could just tap-to-copy every time, assuming AndOTP is configured to do so.

enhancement help wanted maybe

Most helpful comment

My idea for now is to add a setting that controls what a single-tap on an entry does (reveal or copy) and maybe also one to enable double-tap that can do the same.
And by default have single-tap set to reveal (like it is now) and have double-tap do nothing.

All 12 comments

This was already discussed in #17, but since that is a really old issue I will keep this open to discuss this again.

Maybe some other users could contribute and tell us their opinion on this.

I would like to use the currently solution but to be fair with this issue, change/ add a behaviour option:

  • by default: only unhide the code on press. copy to clipboard needs still press the copy button
  • add a option in settings which copy the code directly to clipboard

So by default the code can't be abused from stealing clipboard content and users can config it how they like.

My idea for now is to add a setting that controls what a single-tap on an entry does (reveal or copy) and maybe also one to enable double-tap that can do the same.
And by default have single-tap set to reveal (like it is now) and have double-tap do nothing.

Is this still available? If yes, can I pick this up?

I am still not 100% sure how I want to implement this, so I am probably going to do this myself @SubhrajyotiSen
But there are a lot of other issues that you can try to tackle, even ones that are not labeled as "help wanted".

Suggestion from my side. Make the setting available two fold in the following way.
_Let the user define the action on:_

  • _single-tap_
  • _double-tap_

_and give him the possibility to either select from the following options for both actions:_

  • _do nothing_
  • _reveal_
  • _copy_
  • _copy and drop to background_

Set the default to whatever you deem fit. Give the user a warning, if he chooses "nothing" both times.

One question: what is the use case for copying a TOTP code?
I mean it is a second factor and therefore should reside on a different device (in terms of other than the one logging into something by entering a password + TOTP), right?
So, what is the use of copy-and-paste for TOTP except the _anti-use case_ of logging in on the TOTP producing device?

@dennisguse

It's not up to the software to decide what's an anti-use or not, neither does it matter here, neither is this issue about if copy should exist or not.

@Avamander I know what you mean, but there are some exceptions.
One for example are password fields: those always hide the password (and I can only temporarily show them). I don't know any software that I (as an end user) can configure to _always show_ the password and password fields also do not allow copy-paste.
Long story short: IMHO it is usually not a good to support insecure behavior (like using a password manager and storing username, password, and TOTP together).

Accessing 2FA protected accounts on a mobile device requires to enter the 2FA code. Very seldomly someone carries two devices. One device just for 2FA, the other device for accessing the accounts.
It's a convenience feature, which we could disable per default.

Yes, it's not recommended to access the 2FA protected account on the same device as the one the TOTP resides on.

This is not one of those exceptions.

Neither do I think that you get to declare it as insecure behaviour, you don't know about people's setups and where and how they copy those codes.

In my opinion a copy function for the tokens is necessary. In a perfect scenario you would have a 2nd device just for 2FA and nothing else, but I doubt most people carry around two phones just for that. Sometimes it is just necessary that you login to an account that has 2FA enabled in your phone (for example to Github so I can write this answer from my phone). In that case a copy function is very nice to have.

And it's nor really a security issue to have that function. If someone manages to get into andOTP to the point where they can access the copy function you are screwed either way, at that point they can already access all your accounts 2FA tokens with or without the copy button.

Was this page helpful?
0 / 5 - 0 ratings

Related issues

krc picture krc  路  4Comments

SkewedZeppelin picture SkewedZeppelin  路  4Comments

D0mm4S picture D0mm4S  路  4Comments

StoyanDimitrov picture StoyanDimitrov  路  6Comments

iTrooz picture iTrooz  路  4Comments