Android-password-store: [FEATURE] Option to fill OTP

Created on 25 Mar 2020  路  4Comments  路  Source: android-password-store/Android-Password-Store

Is your feature request related to a problem? Please describe.
I don't know if this is possible using the Autofill API, but something that I have now on my desktop via passff is the ability to fill OTP fields (such as on GitHub).

Describe the solution you'd like
The ability to either automatically detect an OTP field (and suggest github.com/cole-h/otp files), or manually select an OTP entry and fill with a generated code.

If this isn't possible, or is too difficult, I completely understand. I have a 2FA app I can use to supplement (or I could just open the app and navigate to the OTP entry).

cc @FabianHenneke

Most helpful comment

Thank you for the suggestion, this is definitely something that could be very useful if done in the right way. I will happily mentor/review/support PRs in this direction, but will not work on this myself.

The reason is that OTPs on large sites, such as GitHub, will become or even already have become obsolete due to the rise of U2F/FIDO2, which is the only true solution to phishing that is widely supported. Nowadays, between any modern Android phone doubling as a platform security key, stellar FIDO2 support on Windows and Apple opening up NFC for security keys, I don't really see a reason to use OTPs on such sites anymore. With a few notable exceptions such as Amazon, I find myself almost never having to rely on OTPs in daily life, which means that I would also not be using this feature myself.

Small to mid-scale sites will probably continue to rely on OTPs for some more time, but it is probably much harder to develop, test and maintain an OTP filling solution that works for all of them and does not become overly complex.

All in all, I hope that you can understand why I will not be able to take on this feature request. It would still be an awesome feature though, so I will keep this issue open and mark it as PR welcome.

PS: If you haven't done so yet, give FIDO a try, it is definitely worth it.

All 4 comments

Thank you for the suggestion, this is definitely something that could be very useful if done in the right way. I will happily mentor/review/support PRs in this direction, but will not work on this myself.

The reason is that OTPs on large sites, such as GitHub, will become or even already have become obsolete due to the rise of U2F/FIDO2, which is the only true solution to phishing that is widely supported. Nowadays, between any modern Android phone doubling as a platform security key, stellar FIDO2 support on Windows and Apple opening up NFC for security keys, I don't really see a reason to use OTPs on such sites anymore. With a few notable exceptions such as Amazon, I find myself almost never having to rely on OTPs in daily life, which means that I would also not be using this feature myself.

Small to mid-scale sites will probably continue to rely on OTPs for some more time, but it is probably much harder to develop, test and maintain an OTP filling solution that works for all of them and does not become overly complex.

All in all, I hope that you can understand why I will not be able to take on this feature request. It would still be an awesome feature though, so I will keep this issue open and mark it as PR welcome.

PS: If you haven't done so yet, give FIDO a try, it is definitely worth it.

Fair enough. It's not too much trouble to open the app and navigate to the OTP entry for a code (or to use another app).

I've already been looking into FIDO, but am waiting for SoloKey rev 2 to come out before I get myself a security key. I like being given the option to hack on my things, whether or not I actually do hack on it.

Thanks again for your work on Autofill!

With #776 we will be removing support for both TOTP and HOTP so I'm gonna have to close this. Delegating OTP to a dedicated and maintained app is a wiser choice than continuining to rely on functionality that none of the maintainers here use or endorse. I'd certainly recommend giving andOTP a shot!

That's unfortunate. The downside is I'll have to continue using 2 apps to log in (this and whatever OTP app I choose). However, I can certainly understand where you're coming from. Thanks for the great project!

Was this page helpful?
0 / 5 - 0 ratings