Post enabling the TOTP, the OTP entered is displayed in plain text during inspect elements on browser. is there a way to encrypt it

Post enabling the TOTP, the OTP entered during login is displayed in plain text during inspect elements on browser. is there a way to encrypt it

any input regarding this will be helpful

Prithvish

What does it matter that the OTP is shown in plain text? It is short lived, and the time for any rogue party to try and use it, they will have to get past the password part in time before the token is expired. You can say the same about storing an OAuth2 token as a GET value in a federation exchange. Does it make it insecure? Maybe. But the likelyhood that it will be scraped from YOUR session, is only noteworthy if using HTTP.

3 Likes

You’ll be amazed, but also the session token is visible in plain text in the browser’s developer tools. In the browser tools everything is visible unencrypted before it is transmitted, just like the content of your cloud and the files are unencrypted on your computer when you are working with them.

Or in other words, if you have a malware on your computer that can hijack your browser in a way that it can get to this information, the 30 seconds lasting TOTP tokens are gonna be the least of your problems :wink:

2 Likes

Used OTPs are also stored to prevent replay attacks. Even if someone sees you enter the OTP they won’t be able to use it.

5 Likes

Thanks for your inputs…