Post enabling the TOTP, the OTP entered during login is displayed in plain text during inspect elements on browser. is there a way to encrypt it
any input regarding this will be helpful
Prithvish
Post enabling the TOTP, the OTP entered during login is displayed in plain text during inspect elements on browser. is there a way to encrypt it
any input regarding this will be helpful
Prithvish
What does it matter that the OTP is shown in plain text? It is short lived, and the time for any rogue party to try and use it, they will have to get past the password part in time before the token is expired. You can say the same about storing an OAuth2 token as a GET value in a federation exchange. Does it make it insecure? Maybe. But the likelyhood that it will be scraped from YOUR session, is only noteworthy if using HTTP.
You’ll be amazed, but also the session token is visible in plain text in the browser’s developer tools. In the browser tools everything is visible unencrypted before it is transmitted, just like the content of your cloud and the files are unencrypted on your computer when you are working with them.
Or in other words, if you have a malware on your computer that can hijack your browser in a way that it can get to this information, the 30 seconds lasting TOTP tokens are gonna be the least of your problems
Used OTPs are also stored to prevent replay attacks. Even if someone sees you enter the OTP they won’t be able to use it.
Thanks for your inputs…