Why do many websites hide input when entering an OTP?What is more secure for voice and SMS OTP: A random number or generated similar to HOTP?Why must every OTP be uniqueWhat are the typical ways to generate a One Time Password?Password reset question answer complexityDo I enhance security by appending all passwords with a fixed long string?One-Time-Password securing an embedded server via OpenSSLBest practices for generating and using random timed OTPIs this passwordless authentification system is less secure than big websites authentifications?Best practices to protect public/private SSH key pair in web interface?
What spells could cure a stroke?
Site is accessible by domain in all browsers but Chrome
Roll for Initiative!
Functions that simply call another function, bad design choice?
Why are Amex fees allowed in the European Union?
Producing a more appealing rounded end of line joins
Simulating these special dice on more regular dice
what makes a disease deadly?
How to end the conversation quickly with head hunter?
What is the etymology of the phrase 隴を得て蜀を望む?
What does 素 mean in 素数?
How can we save ourselves from large drops in stock price?
Do any countries have a pensions system funded entirely by past contributions, rather than current taxes?
Can Black play for a win here?
Is there any way to write words the same as TeX/LaTeX logo typography?
Does the patient need to be immobile during the tending action from the Healer feat?
Being heavily recruited at new company: Should I tell them I’m trying to get pregnant?
If you were to fly an ILS in a knife edge would you receve GS and LOC be fliped?
Is rotating a pawn so that it faces a different direction and then moves in that direction technically permitted according to the 2018 FIDE Laws?
How do i limit the use of projectiles in a high fantasy world?
Merging 4 matrices to one matrix
Can I have scenes that aren't directly related to the main plot but strengthen the relationship between two characters (which is a subplot)?
Why can't I use zsh?
Do I need to rip the leaves off mint?
Why do many websites hide input when entering an OTP?
What is more secure for voice and SMS OTP: A random number or generated similar to HOTP?Why must every OTP be uniqueWhat are the typical ways to generate a One Time Password?Password reset question answer complexityDo I enhance security by appending all passwords with a fixed long string?One-Time-Password securing an embedded server via OpenSSLBest practices for generating and using random timed OTPIs this passwordless authentification system is less secure than big websites authentifications?Best practices to protect public/private SSH key pair in web interface?
.everyoneloves__top-leaderboard:empty,.everyoneloves__mid-leaderboard:empty,.everyoneloves__bot-mid-leaderboard:empty
margin-bottom:0;
I've noticed that on many sites, when they ask for a one-time password (OTP) (usually sent by SMS), the input is hidden in the same way as a password field is.
My understanding is that once an OTP is used, then it is no longer useful for anything.
Is there a valid reason for hiding the input for these fields?
password-policy one-time-password user-interface
edited Sep 29 at 9:49
Peter Mortensen
7584 silver badges9 bronze badges
asked Sep 26 at 16:09
Robin SalihRobin Salih
5234 silver badges7 bronze badges
add a comment
|
I've noticed that on many sites, when they ask for a one-time password (OTP) (usually sent by SMS), the input is hidden in the same way as a password field is.
My understanding is that once an OTP is used, then it is no longer useful for anything.
Is there a valid reason for hiding the input for these fields?
password-policy one-time-password user-interface
edited Sep 29 at 9:49
Peter Mortensen
7584 silver badges9 bronze badges
asked Sep 26 at 16:09
Robin SalihRobin Salih
5234 silver badges7 bronze badges
6
When Facebook started to accept mis-capitalized passwords, some people expressed concerns on whether that was secure. If a site stops hiding input in a field named "password", the same controversy will ensue.
– Dmitry Grigoryev
Sep 27 at 20:44
1
Can you give example for sites? Facebook, Github, Azure, AWS, Google all show the digits.
– eckes
Sep 28 at 8:46
2
@eckes My bank's 3D Secure thing does it. Whenever I use my debit card, I get taken to that page (*.arcot.com). imgur.com/a/RNMr555
– PNDA
Sep 29 at 10:57
1
In a big form having lots of fields including the password field, a third party may see the password and submit it before the user does.
– frogatto
Sep 29 at 12:34
1
@eckes I've seen it in a few places including Natwest Online banking.
– Robin Salih
Sep 30 at 16:51
add a comment
|
I've noticed that on many sites, when they ask for a one-time password (OTP) (usually sent by SMS), the input is hidden in the same way as a password field is.
My understanding is that once an OTP is used, then it is no longer useful for anything.
Is there a valid reason for hiding the input for these fields?
password-policy one-time-password user-interface
edited Sep 29 at 9:49
Peter Mortensen
7584 silver badges9 bronze badges
asked Sep 26 at 16:09
Robin SalihRobin Salih
5234 silver badges7 bronze badges
I've noticed that on many sites, when they ask for a one-time password (OTP) (usually sent by SMS), the input is hidden in the same way as a password field is.
My understanding is that once an OTP is used, then it is no longer useful for anything.
Is there a valid reason for hiding the input for these fields?
password-policy one-time-password user-interface
password-policy one-time-password user-interface
edited Sep 29 at 9:49
Peter Mortensen
7584 silver badges9 bronze badges
asked Sep 26 at 16:09
Robin SalihRobin Salih
5234 silver badges7 bronze badges
edited Sep 29 at 9:49
Peter Mortensen
7584 silver badges9 bronze badges
asked Sep 26 at 16:09
Robin SalihRobin Salih
5234 silver badges7 bronze badges
edited Sep 29 at 9:49
Peter Mortensen
7584 silver badges9 bronze badges
edited Sep 29 at 9:49
Peter Mortensen
7584 silver badges9 bronze badges
edited Sep 29 at 9:49
Peter Mortensen
7584 silver badges9 bronze badges
7584 silver badges9 bronze badges
asked Sep 26 at 16:09
Robin SalihRobin Salih
5234 silver badges7 bronze badges
asked Sep 26 at 16:09
Robin SalihRobin Salih
5234 silver badges7 bronze badges
asked Sep 26 at 16:09
Robin SalihRobin Salih
5234 silver badges7 bronze badges
5234 silver badges7 bronze badges
6
When Facebook started to accept mis-capitalized passwords, some people expressed concerns on whether that was secure. If a site stops hiding input in a field named "password", the same controversy will ensue.
– Dmitry Grigoryev
Sep 27 at 20:44
1
Can you give example for sites? Facebook, Github, Azure, AWS, Google all show the digits.
– eckes
Sep 28 at 8:46
2
@eckes My bank's 3D Secure thing does it. Whenever I use my debit card, I get taken to that page (*.arcot.com). imgur.com/a/RNMr555
– PNDA
Sep 29 at 10:57
1
In a big form having lots of fields including the password field, a third party may see the password and submit it before the user does.
– frogatto
Sep 29 at 12:34
1
@eckes I've seen it in a few places including Natwest Online banking.
– Robin Salih
Sep 30 at 16:51
add a comment
|
6
When Facebook started to accept mis-capitalized passwords, some people expressed concerns on whether that was secure. If a site stops hiding input in a field named "password", the same controversy will ensue.
– Dmitry Grigoryev
Sep 27 at 20:44
1
Can you give example for sites? Facebook, Github, Azure, AWS, Google all show the digits.
– eckes
Sep 28 at 8:46
2
@eckes My bank's 3D Secure thing does it. Whenever I use my debit card, I get taken to that page (*.arcot.com). imgur.com/a/RNMr555
– PNDA
Sep 29 at 10:57
1
In a big form having lots of fields including the password field, a third party may see the password and submit it before the user does.
– frogatto
Sep 29 at 12:34
1
@eckes I've seen it in a few places including Natwest Online banking.
– Robin Salih
Sep 30 at 16:51
6
6
When Facebook started to accept mis-capitalized passwords, some people expressed concerns on whether that was secure. If a site stops hiding input in a field named "password", the same controversy will ensue.
– Dmitry Grigoryev
Sep 27 at 20:44
When Facebook started to accept mis-capitalized passwords, some people expressed concerns on whether that was secure. If a site stops hiding input in a field named "password", the same controversy will ensue.
– Dmitry Grigoryev
Sep 27 at 20:44
1
1
Can you give example for sites? Facebook, Github, Azure, AWS, Google all show the digits.
– eckes
Sep 28 at 8:46
Can you give example for sites? Facebook, Github, Azure, AWS, Google all show the digits.
– eckes
Sep 28 at 8:46
2
2
@eckes My bank's 3D Secure thing does it. Whenever I use my debit card, I get taken to that page (*.arcot.com). imgur.com/a/RNMr555
– PNDA
Sep 29 at 10:57
@eckes My bank's 3D Secure thing does it. Whenever I use my debit card, I get taken to that page (*.arcot.com). imgur.com/a/RNMr555
– PNDA
Sep 29 at 10:57
1
1
In a big form having lots of fields including the password field, a third party may see the password and submit it before the user does.
– frogatto
Sep 29 at 12:34
In a big form having lots of fields including the password field, a third party may see the password and submit it before the user does.
– frogatto
Sep 29 at 12:34
1
1
@eckes I've seen it in a few places including Natwest Online banking.
– Robin Salih
Sep 30 at 16:51
@eckes I've seen it in a few places including Natwest Online banking.
– Robin Salih
Sep 30 at 16:51
add a comment
|
5 Answers
5
active
oldest
votes
I'm basing my answer on the assumption that a One-Time Password is used as a second factor, in addition to a traditional username/password combination. If this is not the case, and the One-Time Password is the only factor, then Gilles' Answer is certainly more applicable.
Most likely due to Cargo Cult Programming, which means blindly following patterns that have been observed elsewhere, without understanding the real meaning behind them.
A developer may see the "password" in "One-time password" and happily make it <input type="password">. Afterall, that's what it's there for, right?
Is there a disadvantage?
Security-wise, no. Disclosing a one-time password to a third party (e.g. through shoulder surfing) is not as problematic, because the password loses validity after one use, or after a certain amount of time.
The only imaginable downside would be a lesser user experience, as a user might have trouble ensuring that what they have typed actually matches the password they received.
answered Sep 26 at 16:43
MechMK1MechMK1
15.9k10 gold badges62 silver badges74 bronze badges
6
Depending upon the scheme, OTPs aren't just one-time. For example, TOTP tokens are valid for 30 seconds, regardless of the number of times you actually use the token. In that case, shoulder-surfing can be a problem if the first factor (e.g. password) has already been compromised.
– Christopher Schultz
Sep 27 at 16:04
18
@ChristopherSchultz If it's implemented according to the RFC TOTP is one time: "The verifier MUST NOT accept the second attempt of the OTP after the successful validation has been issued for the first OTP".
– AndrolGenhald
Sep 27 at 21:46
4
@AndrolGenhald Interesting. Apparently, I had missed that detail when implementing TOTP as an example at some point. This RFC-MUST-NOT requirement makes it difficult to fully-implement the spec in distributed systems. I wonder how many implementations are actually compliant.
– Christopher Schultz
Sep 28 at 1:41
1
@ChristopherSchultz - difficult but not impossible. One of the things the blockchain hype taught is that it's possible to develop robust consensus algorithms - something people used to have a hard time with (specifically dealing with the split brain problem)
– slebetman
Sep 28 at 13:57
1
@OlegV.Volkov Since we're talking about the entry on the website, the shoulder surfer obviously cannot enter the full code before the real user (although they could potentially submit the form before the real user). If you're talking about shoulder surfing the code displayed on the OTP device, that's irrelevant to the question.
– AndrolGenhald
Sep 28 at 18:29
|
show 5 more comments
The reason to hide passwords is to prevent shoulder surfing: someone being physically present (or someone observing through a camera) might be able to read the password on the screen. This is also a risk for a one-time password, but to a much lesser extent for two reasons: the one-time password is only valid for a short time, and it's displayed on the OTP device anyway. But it's a risk nonetheless. Depending on the type of OTP, it may remain valid for a couple of minutes (if it's time-based and the server doesn't protect against replay) or until the legitimate user has finished typing it (if it's sequence-based or the server protects against replay). Often the screen of the OTP device is less visible to shoulder surfers than the computer where the user enters the OTP.
Declaring a field as a password does other things than hiding the data: it may prevent copying to the clipboard, and may cause the application not to record the OTP in a form entry history. None of those has any security benefit, but omitting the OTP from the entry history has a usability benefit: it avoids giving users the impression that the OTP is a valid input later.
These are pretty weak reasons. The main reason is that form designers see that the input is a password of some kind and therefore declare it as a password.
answered Sep 26 at 16:42
Gilles 'SO- stop being evil'Gilles 'SO- stop being evil'
42.9k13 gold badges103 silver badges157 bronze badges
1
Assuming that a one-time password is used as a second factor, I would consider it much less of a risk, since someone would need to be in posession of the primary factor as well. But this is a good point, I'll add that to my answer accordingly.
– MechMK1
Sep 26 at 16:50
19
Usingautocomplete="one-time-code"omits the OTP from the history without being user-hostile.
– chrylis -on strike-
Sep 27 at 1:21
11
This may seem like a bit of a James Bond level of paranoia, but one consideration for shoulder surfing security is the network reliability. We push people onto https to prevent automated mitm attacks, but no cryptography ensures the network doesn't go down. An attacker may be able to see the code, jam the signal (e.g unplug the router) and get a good two minutes in the confusion to put it in for themselves.
– Josiah
Sep 27 at 7:24
1
A server that doesn't protect against replayed OTPs is pretty much broken by definition...
– ilkkachu
Sep 27 at 13:16
1
@Gilles, I don't doubt that they exist, but that really seems to violate the "one-time" property that's right there in what OTP is short for... I always thought that the idea was that once a one-time password was used, it must be assumed leaked, and hence must not be accepted again. Which may mean you'd need a centralized system to keep track of the used OTP, and should have some single-sign on system to authenticate into multiple systems at the same time, but that's what you get. Reaccepting the same OTP just sounds like inviting an eavesdropper to login after you...
– ilkkachu
Sep 27 at 13:36
|
show 8 more comments
Speculating about the motive of other developers is perhaps a poor use of time, but I can see one advantage that hasn't been mentioned.
Psychologically, making it look like a password helps people associate it with security. It transfers the message we have pushed for decades that "you don't tell people your password" to OTPs, and hopefully helps a few more users pause and question when Bob Hackerman phones them up asking them to confirm the six digit code he just sent them. The user is usually the weakest part of the system, so that seems like a reasonable place to invest.
Technically, there are disadvantages (like the browser storing it) and it would be better with a dedicated HTML field for OTPs. Even if we had one, it would be entirely reasonable to have it dotted out as the default UX.
answered Sep 27 at 7:07
JosiahJosiah
1,6936 silver badges14 bronze badges
2
I like this reasoning. I know what they are, and about the usual security problems. Joe Blogg's granny on the other hand. Anything that helps the less security literate be more secure is a good thing.
– Baldrickk
Sep 27 at 9:48
add a comment
|
The reason for hiding the input of the field maybe due to programming patterns (like @MechMK1 stated), because the developer wouldn't code a separate field for each authentication type offered so they reuse the field with type password. Not doing so could lead to code bloat.
answered Sep 28 at 13:10
hightownhillhightownhill
11 bronze badge
add a comment
|
An attacker could use the one time password when he sees you typing it in.
It comes down to the question of timing. If he is a sophisticated attacker he might read the not hidden one time password and at the same time block your network connection before you hit enter. So he can read the OTP you are typing, hinder you from sending the form and use the OTP to login as you.
This might sound very awkward, but in our opinion a sincere OTP implementation should take care of this.
As @MechMK1 pointed out the OTP is - as the name suggests - only valid once. But the OTP is only invalidated when the server verifies it. And as mentioned, if the attacker can prevent you from sending the OTP to the server the otp is not invalidated and the attacker can use this very OTP before you.
answered Sep 28 at 23:12
cornelinuxcornelinux
1,6305 silver badges11 bronze badges
add a comment
|
Your Answer
StackExchange.ready(function()
var channelOptions =
tags: "".split(" "),
id: "162"
;
initTagRenderer("".split(" "), "".split(" "), channelOptions);
StackExchange.using("externalEditor", function()
// Have to fire editor after snippets, if snippets enabled
if (StackExchange.settings.snippets.snippetsEnabled)
StackExchange.using("snippets", function()
createEditor();
);
else
createEditor();
);
function createEditor()
StackExchange.prepareEditor(
heartbeatType: 'answer',
autoActivateHeartbeat: false,
convertImagesToLinks: false,
noModals: true,
showLowRepImageUploadWarning: true,
reputationToPostImages: null,
bindNavPrevention: true,
postfix: "",
imageUploader:
brandingHtml: "Powered by u003ca class="icon-imgur-white" href="https://imgur.com/"u003eu003c/au003e",
contentPolicyHtml: "User contributions licensed under u003ca href="https://creativecommons.org/licenses/by-sa/4.0/"u003ecc by-sa 4.0 with attribution requiredu003c/au003e u003ca href="https://stackoverflow.com/legal/content-policy"u003e(content policy)u003c/au003e",
allowUrls: true
,
noCode: true, onDemand: true,
discardSelector: ".discard-answer"
,immediatelyShowMarkdownHelp:true
);
);
Sign up or log in
StackExchange.ready(function ()
StackExchange.helpers.onClickDraftSave('#login-link');
);
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
StackExchange.ready(
function ()
StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2fsecurity.stackexchange.com%2fquestions%2f218735%2fwhy-do-many-websites-hide-input-when-entering-an-otp%23new-answer', 'question_page');
);
Post as a guest
Required, but never shown
5 Answers
5
active
oldest
votes
5 Answers
5
active
oldest
votes
active
oldest
votes
active
oldest
votes
I'm basing my answer on the assumption that a One-Time Password is used as a second factor, in addition to a traditional username/password combination. If this is not the case, and the One-Time Password is the only factor, then Gilles' Answer is certainly more applicable.
Most likely due to Cargo Cult Programming, which means blindly following patterns that have been observed elsewhere, without understanding the real meaning behind them.
A developer may see the "password" in "One-time password" and happily make it <input type="password">. Afterall, that's what it's there for, right?
Is there a disadvantage?
Security-wise, no. Disclosing a one-time password to a third party (e.g. through shoulder surfing) is not as problematic, because the password loses validity after one use, or after a certain amount of time.
The only imaginable downside would be a lesser user experience, as a user might have trouble ensuring that what they have typed actually matches the password they received.
answered Sep 26 at 16:43
MechMK1MechMK1
15.9k10 gold badges62 silver badges74 bronze badges
6
Depending upon the scheme, OTPs aren't just one-time. For example, TOTP tokens are valid for 30 seconds, regardless of the number of times you actually use the token. In that case, shoulder-surfing can be a problem if the first factor (e.g. password) has already been compromised.
– Christopher Schultz
Sep 27 at 16:04
18
@ChristopherSchultz If it's implemented according to the RFC TOTP is one time: "The verifier MUST NOT accept the second attempt of the OTP after the successful validation has been issued for the first OTP".
– AndrolGenhald
Sep 27 at 21:46
4
@AndrolGenhald Interesting. Apparently, I had missed that detail when implementing TOTP as an example at some point. This RFC-MUST-NOT requirement makes it difficult to fully-implement the spec in distributed systems. I wonder how many implementations are actually compliant.
– Christopher Schultz
Sep 28 at 1:41
1
@ChristopherSchultz - difficult but not impossible. One of the things the blockchain hype taught is that it's possible to develop robust consensus algorithms - something people used to have a hard time with (specifically dealing with the split brain problem)
– slebetman
Sep 28 at 13:57
1
@OlegV.Volkov Since we're talking about the entry on the website, the shoulder surfer obviously cannot enter the full code before the real user (although they could potentially submit the form before the real user). If you're talking about shoulder surfing the code displayed on the OTP device, that's irrelevant to the question.
– AndrolGenhald
Sep 28 at 18:29
|
show 5 more comments
I'm basing my answer on the assumption that a One-Time Password is used as a second factor, in addition to a traditional username/password combination. If this is not the case, and the One-Time Password is the only factor, then Gilles' Answer is certainly more applicable.
Most likely due to Cargo Cult Programming, which means blindly following patterns that have been observed elsewhere, without understanding the real meaning behind them.
A developer may see the "password" in "One-time password" and happily make it <input type="password">. Afterall, that's what it's there for, right?
Is there a disadvantage?
Security-wise, no. Disclosing a one-time password to a third party (e.g. through shoulder surfing) is not as problematic, because the password loses validity after one use, or after a certain amount of time.
The only imaginable downside would be a lesser user experience, as a user might have trouble ensuring that what they have typed actually matches the password they received.
answered Sep 26 at 16:43
MechMK1MechMK1
15.9k10 gold badges62 silver badges74 bronze badges
6
Depending upon the scheme, OTPs aren't just one-time. For example, TOTP tokens are valid for 30 seconds, regardless of the number of times you actually use the token. In that case, shoulder-surfing can be a problem if the first factor (e.g. password) has already been compromised.
– Christopher Schultz
Sep 27 at 16:04
18
@ChristopherSchultz If it's implemented according to the RFC TOTP is one time: "The verifier MUST NOT accept the second attempt of the OTP after the successful validation has been issued for the first OTP".
– AndrolGenhald
Sep 27 at 21:46
4
@AndrolGenhald Interesting. Apparently, I had missed that detail when implementing TOTP as an example at some point. This RFC-MUST-NOT requirement makes it difficult to fully-implement the spec in distributed systems. I wonder how many implementations are actually compliant.
– Christopher Schultz
Sep 28 at 1:41
1
@ChristopherSchultz - difficult but not impossible. One of the things the blockchain hype taught is that it's possible to develop robust consensus algorithms - something people used to have a hard time with (specifically dealing with the split brain problem)
– slebetman
Sep 28 at 13:57
1
@OlegV.Volkov Since we're talking about the entry on the website, the shoulder surfer obviously cannot enter the full code before the real user (although they could potentially submit the form before the real user). If you're talking about shoulder surfing the code displayed on the OTP device, that's irrelevant to the question.
– AndrolGenhald
Sep 28 at 18:29
|
show 5 more comments
I'm basing my answer on the assumption that a One-Time Password is used as a second factor, in addition to a traditional username/password combination. If this is not the case, and the One-Time Password is the only factor, then Gilles' Answer is certainly more applicable.
Most likely due to Cargo Cult Programming, which means blindly following patterns that have been observed elsewhere, without understanding the real meaning behind them.
A developer may see the "password" in "One-time password" and happily make it <input type="password">. Afterall, that's what it's there for, right?
Is there a disadvantage?
Security-wise, no. Disclosing a one-time password to a third party (e.g. through shoulder surfing) is not as problematic, because the password loses validity after one use, or after a certain amount of time.
The only imaginable downside would be a lesser user experience, as a user might have trouble ensuring that what they have typed actually matches the password they received.
answered Sep 26 at 16:43
MechMK1MechMK1
15.9k10 gold badges62 silver badges74 bronze badges
I'm basing my answer on the assumption that a One-Time Password is used as a second factor, in addition to a traditional username/password combination. If this is not the case, and the One-Time Password is the only factor, then Gilles' Answer is certainly more applicable.
Most likely due to Cargo Cult Programming, which means blindly following patterns that have been observed elsewhere, without understanding the real meaning behind them.
A developer may see the "password" in "One-time password" and happily make it <input type="password">. Afterall, that's what it's there for, right?
Is there a disadvantage?
Security-wise, no. Disclosing a one-time password to a third party (e.g. through shoulder surfing) is not as problematic, because the password loses validity after one use, or after a certain amount of time.
The only imaginable downside would be a lesser user experience, as a user might have trouble ensuring that what they have typed actually matches the password they received.
answered Sep 26 at 16:43
MechMK1MechMK1
15.9k10 gold badges62 silver badges74 bronze badges
edited Sep 26 at 16:52
answered Sep 26 at 16:43
MechMK1MechMK1
15.9k10 gold badges62 silver badges74 bronze badges
answered Sep 26 at 16:43
MechMK1MechMK1
15.9k10 gold badges62 silver badges74 bronze badges
answered Sep 26 at 16:43
MechMK1MechMK1
15.9k10 gold badges62 silver badges74 bronze badges
15.9k10 gold badges62 silver badges74 bronze badges
6
Depending upon the scheme, OTPs aren't just one-time. For example, TOTP tokens are valid for 30 seconds, regardless of the number of times you actually use the token. In that case, shoulder-surfing can be a problem if the first factor (e.g. password) has already been compromised.
– Christopher Schultz
Sep 27 at 16:04
18
@ChristopherSchultz If it's implemented according to the RFC TOTP is one time: "The verifier MUST NOT accept the second attempt of the OTP after the successful validation has been issued for the first OTP".
– AndrolGenhald
Sep 27 at 21:46
4
@AndrolGenhald Interesting. Apparently, I had missed that detail when implementing TOTP as an example at some point. This RFC-MUST-NOT requirement makes it difficult to fully-implement the spec in distributed systems. I wonder how many implementations are actually compliant.
– Christopher Schultz
Sep 28 at 1:41
1
@ChristopherSchultz - difficult but not impossible. One of the things the blockchain hype taught is that it's possible to develop robust consensus algorithms - something people used to have a hard time with (specifically dealing with the split brain problem)
– slebetman
Sep 28 at 13:57
1
@OlegV.Volkov Since we're talking about the entry on the website, the shoulder surfer obviously cannot enter the full code before the real user (although they could potentially submit the form before the real user). If you're talking about shoulder surfing the code displayed on the OTP device, that's irrelevant to the question.
– AndrolGenhald
Sep 28 at 18:29
|
show 5 more comments
6
Depending upon the scheme, OTPs aren't just one-time. For example, TOTP tokens are valid for 30 seconds, regardless of the number of times you actually use the token. In that case, shoulder-surfing can be a problem if the first factor (e.g. password) has already been compromised.
– Christopher Schultz
Sep 27 at 16:04
18
@ChristopherSchultz If it's implemented according to the RFC TOTP is one time: "The verifier MUST NOT accept the second attempt of the OTP after the successful validation has been issued for the first OTP".
– AndrolGenhald
Sep 27 at 21:46
4
@AndrolGenhald Interesting. Apparently, I had missed that detail when implementing TOTP as an example at some point. This RFC-MUST-NOT requirement makes it difficult to fully-implement the spec in distributed systems. I wonder how many implementations are actually compliant.
– Christopher Schultz
Sep 28 at 1:41
1
@ChristopherSchultz - difficult but not impossible. One of the things the blockchain hype taught is that it's possible to develop robust consensus algorithms - something people used to have a hard time with (specifically dealing with the split brain problem)
– slebetman
Sep 28 at 13:57
1
@OlegV.Volkov Since we're talking about the entry on the website, the shoulder surfer obviously cannot enter the full code before the real user (although they could potentially submit the form before the real user). If you're talking about shoulder surfing the code displayed on the OTP device, that's irrelevant to the question.
– AndrolGenhald
Sep 28 at 18:29
6
6
Depending upon the scheme, OTPs aren't just one-time. For example, TOTP tokens are valid for 30 seconds, regardless of the number of times you actually use the token. In that case, shoulder-surfing can be a problem if the first factor (e.g. password) has already been compromised.
– Christopher Schultz
Sep 27 at 16:04
Depending upon the scheme, OTPs aren't just one-time. For example, TOTP tokens are valid for 30 seconds, regardless of the number of times you actually use the token. In that case, shoulder-surfing can be a problem if the first factor (e.g. password) has already been compromised.
– Christopher Schultz
Sep 27 at 16:04
18
18
@ChristopherSchultz If it's implemented according to the RFC TOTP is one time: "The verifier MUST NOT accept the second attempt of the OTP after the successful validation has been issued for the first OTP".
– AndrolGenhald
Sep 27 at 21:46
@ChristopherSchultz If it's implemented according to the RFC TOTP is one time: "The verifier MUST NOT accept the second attempt of the OTP after the successful validation has been issued for the first OTP".
– AndrolGenhald
Sep 27 at 21:46
4
4
@AndrolGenhald Interesting. Apparently, I had missed that detail when implementing TOTP as an example at some point. This RFC-MUST-NOT requirement makes it difficult to fully-implement the spec in distributed systems. I wonder how many implementations are actually compliant.
– Christopher Schultz
Sep 28 at 1:41
@AndrolGenhald Interesting. Apparently, I had missed that detail when implementing TOTP as an example at some point. This RFC-MUST-NOT requirement makes it difficult to fully-implement the spec in distributed systems. I wonder how many implementations are actually compliant.
– Christopher Schultz
Sep 28 at 1:41
1
1
@ChristopherSchultz - difficult but not impossible. One of the things the blockchain hype taught is that it's possible to develop robust consensus algorithms - something people used to have a hard time with (specifically dealing with the split brain problem)
– slebetman
Sep 28 at 13:57
@ChristopherSchultz - difficult but not impossible. One of the things the blockchain hype taught is that it's possible to develop robust consensus algorithms - something people used to have a hard time with (specifically dealing with the split brain problem)
– slebetman
Sep 28 at 13:57
1
1
@OlegV.Volkov Since we're talking about the entry on the website, the shoulder surfer obviously cannot enter the full code before the real user (although they could potentially submit the form before the real user). If you're talking about shoulder surfing the code displayed on the OTP device, that's irrelevant to the question.
– AndrolGenhald
Sep 28 at 18:29
@OlegV.Volkov Since we're talking about the entry on the website, the shoulder surfer obviously cannot enter the full code before the real user (although they could potentially submit the form before the real user). If you're talking about shoulder surfing the code displayed on the OTP device, that's irrelevant to the question.
– AndrolGenhald
Sep 28 at 18:29
|
show 5 more comments
The reason to hide passwords is to prevent shoulder surfing: someone being physically present (or someone observing through a camera) might be able to read the password on the screen. This is also a risk for a one-time password, but to a much lesser extent for two reasons: the one-time password is only valid for a short time, and it's displayed on the OTP device anyway. But it's a risk nonetheless. Depending on the type of OTP, it may remain valid for a couple of minutes (if it's time-based and the server doesn't protect against replay) or until the legitimate user has finished typing it (if it's sequence-based or the server protects against replay). Often the screen of the OTP device is less visible to shoulder surfers than the computer where the user enters the OTP.
Declaring a field as a password does other things than hiding the data: it may prevent copying to the clipboard, and may cause the application not to record the OTP in a form entry history. None of those has any security benefit, but omitting the OTP from the entry history has a usability benefit: it avoids giving users the impression that the OTP is a valid input later.
These are pretty weak reasons. The main reason is that form designers see that the input is a password of some kind and therefore declare it as a password.
answered Sep 26 at 16:42
Gilles 'SO- stop being evil'Gilles 'SO- stop being evil'
42.9k13 gold badges103 silver badges157 bronze badges
1
Assuming that a one-time password is used as a second factor, I would consider it much less of a risk, since someone would need to be in posession of the primary factor as well. But this is a good point, I'll add that to my answer accordingly.
– MechMK1
Sep 26 at 16:50
19
Usingautocomplete="one-time-code"omits the OTP from the history without being user-hostile.
– chrylis -on strike-
Sep 27 at 1:21
11
This may seem like a bit of a James Bond level of paranoia, but one consideration for shoulder surfing security is the network reliability. We push people onto https to prevent automated mitm attacks, but no cryptography ensures the network doesn't go down. An attacker may be able to see the code, jam the signal (e.g unplug the router) and get a good two minutes in the confusion to put it in for themselves.
– Josiah
Sep 27 at 7:24
1
A server that doesn't protect against replayed OTPs is pretty much broken by definition...
– ilkkachu
Sep 27 at 13:16
1
@Gilles, I don't doubt that they exist, but that really seems to violate the "one-time" property that's right there in what OTP is short for... I always thought that the idea was that once a one-time password was used, it must be assumed leaked, and hence must not be accepted again. Which may mean you'd need a centralized system to keep track of the used OTP, and should have some single-sign on system to authenticate into multiple systems at the same time, but that's what you get. Reaccepting the same OTP just sounds like inviting an eavesdropper to login after you...
– ilkkachu
Sep 27 at 13:36
|
show 8 more comments
The reason to hide passwords is to prevent shoulder surfing: someone being physically present (or someone observing through a camera) might be able to read the password on the screen. This is also a risk for a one-time password, but to a much lesser extent for two reasons: the one-time password is only valid for a short time, and it's displayed on the OTP device anyway. But it's a risk nonetheless. Depending on the type of OTP, it may remain valid for a couple of minutes (if it's time-based and the server doesn't protect against replay) or until the legitimate user has finished typing it (if it's sequence-based or the server protects against replay). Often the screen of the OTP device is less visible to shoulder surfers than the computer where the user enters the OTP.
Declaring a field as a password does other things than hiding the data: it may prevent copying to the clipboard, and may cause the application not to record the OTP in a form entry history. None of those has any security benefit, but omitting the OTP from the entry history has a usability benefit: it avoids giving users the impression that the OTP is a valid input later.
These are pretty weak reasons. The main reason is that form designers see that the input is a password of some kind and therefore declare it as a password.
answered Sep 26 at 16:42
Gilles 'SO- stop being evil'Gilles 'SO- stop being evil'
42.9k13 gold badges103 silver badges157 bronze badges
1
Assuming that a one-time password is used as a second factor, I would consider it much less of a risk, since someone would need to be in posession of the primary factor as well. But this is a good point, I'll add that to my answer accordingly.
– MechMK1
Sep 26 at 16:50
19
Usingautocomplete="one-time-code"omits the OTP from the history without being user-hostile.
– chrylis -on strike-
Sep 27 at 1:21
11
This may seem like a bit of a James Bond level of paranoia, but one consideration for shoulder surfing security is the network reliability. We push people onto https to prevent automated mitm attacks, but no cryptography ensures the network doesn't go down. An attacker may be able to see the code, jam the signal (e.g unplug the router) and get a good two minutes in the confusion to put it in for themselves.
– Josiah
Sep 27 at 7:24
1
A server that doesn't protect against replayed OTPs is pretty much broken by definition...
– ilkkachu
Sep 27 at 13:16
1
@Gilles, I don't doubt that they exist, but that really seems to violate the "one-time" property that's right there in what OTP is short for... I always thought that the idea was that once a one-time password was used, it must be assumed leaked, and hence must not be accepted again. Which may mean you'd need a centralized system to keep track of the used OTP, and should have some single-sign on system to authenticate into multiple systems at the same time, but that's what you get. Reaccepting the same OTP just sounds like inviting an eavesdropper to login after you...
– ilkkachu
Sep 27 at 13:36
|
show 8 more comments
The reason to hide passwords is to prevent shoulder surfing: someone being physically present (or someone observing through a camera) might be able to read the password on the screen. This is also a risk for a one-time password, but to a much lesser extent for two reasons: the one-time password is only valid for a short time, and it's displayed on the OTP device anyway. But it's a risk nonetheless. Depending on the type of OTP, it may remain valid for a couple of minutes (if it's time-based and the server doesn't protect against replay) or until the legitimate user has finished typing it (if it's sequence-based or the server protects against replay). Often the screen of the OTP device is less visible to shoulder surfers than the computer where the user enters the OTP.
Declaring a field as a password does other things than hiding the data: it may prevent copying to the clipboard, and may cause the application not to record the OTP in a form entry history. None of those has any security benefit, but omitting the OTP from the entry history has a usability benefit: it avoids giving users the impression that the OTP is a valid input later.
These are pretty weak reasons. The main reason is that form designers see that the input is a password of some kind and therefore declare it as a password.
answered Sep 26 at 16:42
Gilles 'SO- stop being evil'Gilles 'SO- stop being evil'
42.9k13 gold badges103 silver badges157 bronze badges
The reason to hide passwords is to prevent shoulder surfing: someone being physically present (or someone observing through a camera) might be able to read the password on the screen. This is also a risk for a one-time password, but to a much lesser extent for two reasons: the one-time password is only valid for a short time, and it's displayed on the OTP device anyway. But it's a risk nonetheless. Depending on the type of OTP, it may remain valid for a couple of minutes (if it's time-based and the server doesn't protect against replay) or until the legitimate user has finished typing it (if it's sequence-based or the server protects against replay). Often the screen of the OTP device is less visible to shoulder surfers than the computer where the user enters the OTP.
Declaring a field as a password does other things than hiding the data: it may prevent copying to the clipboard, and may cause the application not to record the OTP in a form entry history. None of those has any security benefit, but omitting the OTP from the entry history has a usability benefit: it avoids giving users the impression that the OTP is a valid input later.
These are pretty weak reasons. The main reason is that form designers see that the input is a password of some kind and therefore declare it as a password.
answered Sep 26 at 16:42
Gilles 'SO- stop being evil'Gilles 'SO- stop being evil'
42.9k13 gold badges103 silver badges157 bronze badges
answered Sep 26 at 16:42
Gilles 'SO- stop being evil'Gilles 'SO- stop being evil'
42.9k13 gold badges103 silver badges157 bronze badges
answered Sep 26 at 16:42
Gilles 'SO- stop being evil'Gilles 'SO- stop being evil'
42.9k13 gold badges103 silver badges157 bronze badges
answered Sep 26 at 16:42
Gilles 'SO- stop being evil'Gilles 'SO- stop being evil'
42.9k13 gold badges103 silver badges157 bronze badges
42.9k13 gold badges103 silver badges157 bronze badges
1
Assuming that a one-time password is used as a second factor, I would consider it much less of a risk, since someone would need to be in posession of the primary factor as well. But this is a good point, I'll add that to my answer accordingly.
– MechMK1
Sep 26 at 16:50
19
Usingautocomplete="one-time-code"omits the OTP from the history without being user-hostile.
– chrylis -on strike-
Sep 27 at 1:21
11
This may seem like a bit of a James Bond level of paranoia, but one consideration for shoulder surfing security is the network reliability. We push people onto https to prevent automated mitm attacks, but no cryptography ensures the network doesn't go down. An attacker may be able to see the code, jam the signal (e.g unplug the router) and get a good two minutes in the confusion to put it in for themselves.
– Josiah
Sep 27 at 7:24
1
A server that doesn't protect against replayed OTPs is pretty much broken by definition...
– ilkkachu
Sep 27 at 13:16
1
@Gilles, I don't doubt that they exist, but that really seems to violate the "one-time" property that's right there in what OTP is short for... I always thought that the idea was that once a one-time password was used, it must be assumed leaked, and hence must not be accepted again. Which may mean you'd need a centralized system to keep track of the used OTP, and should have some single-sign on system to authenticate into multiple systems at the same time, but that's what you get. Reaccepting the same OTP just sounds like inviting an eavesdropper to login after you...
– ilkkachu
Sep 27 at 13:36
|
show 8 more comments
1
Assuming that a one-time password is used as a second factor, I would consider it much less of a risk, since someone would need to be in posession of the primary factor as well. But this is a good point, I'll add that to my answer accordingly.
– MechMK1
Sep 26 at 16:50
19
Usingautocomplete="one-time-code"omits the OTP from the history without being user-hostile.
– chrylis -on strike-
Sep 27 at 1:21
11
This may seem like a bit of a James Bond level of paranoia, but one consideration for shoulder surfing security is the network reliability. We push people onto https to prevent automated mitm attacks, but no cryptography ensures the network doesn't go down. An attacker may be able to see the code, jam the signal (e.g unplug the router) and get a good two minutes in the confusion to put it in for themselves.
– Josiah
Sep 27 at 7:24
1
A server that doesn't protect against replayed OTPs is pretty much broken by definition...
– ilkkachu
Sep 27 at 13:16
1
@Gilles, I don't doubt that they exist, but that really seems to violate the "one-time" property that's right there in what OTP is short for... I always thought that the idea was that once a one-time password was used, it must be assumed leaked, and hence must not be accepted again. Which may mean you'd need a centralized system to keep track of the used OTP, and should have some single-sign on system to authenticate into multiple systems at the same time, but that's what you get. Reaccepting the same OTP just sounds like inviting an eavesdropper to login after you...
– ilkkachu
Sep 27 at 13:36
1
1
Assuming that a one-time password is used as a second factor, I would consider it much less of a risk, since someone would need to be in posession of the primary factor as well. But this is a good point, I'll add that to my answer accordingly.
– MechMK1
Sep 26 at 16:50
Assuming that a one-time password is used as a second factor, I would consider it much less of a risk, since someone would need to be in posession of the primary factor as well. But this is a good point, I'll add that to my answer accordingly.
– MechMK1
Sep 26 at 16:50
19
19
Using
autocomplete="one-time-code" omits the OTP from the history without being user-hostile.– chrylis -on strike-
Sep 27 at 1:21
Using
autocomplete="one-time-code" omits the OTP from the history without being user-hostile.– chrylis -on strike-
Sep 27 at 1:21
11
11
This may seem like a bit of a James Bond level of paranoia, but one consideration for shoulder surfing security is the network reliability. We push people onto https to prevent automated mitm attacks, but no cryptography ensures the network doesn't go down. An attacker may be able to see the code, jam the signal (e.g unplug the router) and get a good two minutes in the confusion to put it in for themselves.
– Josiah
Sep 27 at 7:24
This may seem like a bit of a James Bond level of paranoia, but one consideration for shoulder surfing security is the network reliability. We push people onto https to prevent automated mitm attacks, but no cryptography ensures the network doesn't go down. An attacker may be able to see the code, jam the signal (e.g unplug the router) and get a good two minutes in the confusion to put it in for themselves.
– Josiah
Sep 27 at 7:24
1
1
A server that doesn't protect against replayed OTPs is pretty much broken by definition...
– ilkkachu
Sep 27 at 13:16
A server that doesn't protect against replayed OTPs is pretty much broken by definition...
– ilkkachu
Sep 27 at 13:16
1
1
@Gilles, I don't doubt that they exist, but that really seems to violate the "one-time" property that's right there in what OTP is short for... I always thought that the idea was that once a one-time password was used, it must be assumed leaked, and hence must not be accepted again. Which may mean you'd need a centralized system to keep track of the used OTP, and should have some single-sign on system to authenticate into multiple systems at the same time, but that's what you get. Reaccepting the same OTP just sounds like inviting an eavesdropper to login after you...
– ilkkachu
Sep 27 at 13:36
@Gilles, I don't doubt that they exist, but that really seems to violate the "one-time" property that's right there in what OTP is short for... I always thought that the idea was that once a one-time password was used, it must be assumed leaked, and hence must not be accepted again. Which may mean you'd need a centralized system to keep track of the used OTP, and should have some single-sign on system to authenticate into multiple systems at the same time, but that's what you get. Reaccepting the same OTP just sounds like inviting an eavesdropper to login after you...
– ilkkachu
Sep 27 at 13:36
|
show 8 more comments
Speculating about the motive of other developers is perhaps a poor use of time, but I can see one advantage that hasn't been mentioned.
Psychologically, making it look like a password helps people associate it with security. It transfers the message we have pushed for decades that "you don't tell people your password" to OTPs, and hopefully helps a few more users pause and question when Bob Hackerman phones them up asking them to confirm the six digit code he just sent them. The user is usually the weakest part of the system, so that seems like a reasonable place to invest.
Technically, there are disadvantages (like the browser storing it) and it would be better with a dedicated HTML field for OTPs. Even if we had one, it would be entirely reasonable to have it dotted out as the default UX.
answered Sep 27 at 7:07
JosiahJosiah
1,6936 silver badges14 bronze badges
2
I like this reasoning. I know what they are, and about the usual security problems. Joe Blogg's granny on the other hand. Anything that helps the less security literate be more secure is a good thing.
– Baldrickk
Sep 27 at 9:48
add a comment
|
Speculating about the motive of other developers is perhaps a poor use of time, but I can see one advantage that hasn't been mentioned.
Psychologically, making it look like a password helps people associate it with security. It transfers the message we have pushed for decades that "you don't tell people your password" to OTPs, and hopefully helps a few more users pause and question when Bob Hackerman phones them up asking them to confirm the six digit code he just sent them. The user is usually the weakest part of the system, so that seems like a reasonable place to invest.
Technically, there are disadvantages (like the browser storing it) and it would be better with a dedicated HTML field for OTPs. Even if we had one, it would be entirely reasonable to have it dotted out as the default UX.
answered Sep 27 at 7:07
JosiahJosiah
1,6936 silver badges14 bronze badges
2
I like this reasoning. I know what they are, and about the usual security problems. Joe Blogg's granny on the other hand. Anything that helps the less security literate be more secure is a good thing.
– Baldrickk
Sep 27 at 9:48
add a comment
|
Speculating about the motive of other developers is perhaps a poor use of time, but I can see one advantage that hasn't been mentioned.
Psychologically, making it look like a password helps people associate it with security. It transfers the message we have pushed for decades that "you don't tell people your password" to OTPs, and hopefully helps a few more users pause and question when Bob Hackerman phones them up asking them to confirm the six digit code he just sent them. The user is usually the weakest part of the system, so that seems like a reasonable place to invest.
Technically, there are disadvantages (like the browser storing it) and it would be better with a dedicated HTML field for OTPs. Even if we had one, it would be entirely reasonable to have it dotted out as the default UX.
answered Sep 27 at 7:07
JosiahJosiah
1,6936 silver badges14 bronze badges
Speculating about the motive of other developers is perhaps a poor use of time, but I can see one advantage that hasn't been mentioned.
Psychologically, making it look like a password helps people associate it with security. It transfers the message we have pushed for decades that "you don't tell people your password" to OTPs, and hopefully helps a few more users pause and question when Bob Hackerman phones them up asking them to confirm the six digit code he just sent them. The user is usually the weakest part of the system, so that seems like a reasonable place to invest.
Technically, there are disadvantages (like the browser storing it) and it would be better with a dedicated HTML field for OTPs. Even if we had one, it would be entirely reasonable to have it dotted out as the default UX.
answered Sep 27 at 7:07
JosiahJosiah
1,6936 silver badges14 bronze badges
answered Sep 27 at 7:07
JosiahJosiah
1,6936 silver badges14 bronze badges
answered Sep 27 at 7:07
JosiahJosiah
1,6936 silver badges14 bronze badges
answered Sep 27 at 7:07
JosiahJosiah
1,6936 silver badges14 bronze badges
1,6936 silver badges14 bronze badges
2
I like this reasoning. I know what they are, and about the usual security problems. Joe Blogg's granny on the other hand. Anything that helps the less security literate be more secure is a good thing.
– Baldrickk
Sep 27 at 9:48
add a comment
|
2
I like this reasoning. I know what they are, and about the usual security problems. Joe Blogg's granny on the other hand. Anything that helps the less security literate be more secure is a good thing.
– Baldrickk
Sep 27 at 9:48
2
2
I like this reasoning. I know what they are, and about the usual security problems. Joe Blogg's granny on the other hand. Anything that helps the less security literate be more secure is a good thing.
– Baldrickk
Sep 27 at 9:48
I like this reasoning. I know what they are, and about the usual security problems. Joe Blogg's granny on the other hand. Anything that helps the less security literate be more secure is a good thing.
– Baldrickk
Sep 27 at 9:48
add a comment
|
The reason for hiding the input of the field maybe due to programming patterns (like @MechMK1 stated), because the developer wouldn't code a separate field for each authentication type offered so they reuse the field with type password. Not doing so could lead to code bloat.
answered Sep 28 at 13:10
hightownhillhightownhill
11 bronze badge
add a comment
|
The reason for hiding the input of the field maybe due to programming patterns (like @MechMK1 stated), because the developer wouldn't code a separate field for each authentication type offered so they reuse the field with type password. Not doing so could lead to code bloat.
answered Sep 28 at 13:10
hightownhillhightownhill
11 bronze badge
add a comment
|
The reason for hiding the input of the field maybe due to programming patterns (like @MechMK1 stated), because the developer wouldn't code a separate field for each authentication type offered so they reuse the field with type password. Not doing so could lead to code bloat.
answered Sep 28 at 13:10
hightownhillhightownhill
11 bronze badge
The reason for hiding the input of the field maybe due to programming patterns (like @MechMK1 stated), because the developer wouldn't code a separate field for each authentication type offered so they reuse the field with type password. Not doing so could lead to code bloat.
answered Sep 28 at 13:10
hightownhillhightownhill
11 bronze badge
answered Sep 28 at 13:10
hightownhillhightownhill
11 bronze badge
answered Sep 28 at 13:10
hightownhillhightownhill
11 bronze badge
answered Sep 28 at 13:10
hightownhillhightownhill
11 bronze badge
11 bronze badge
add a comment
|
add a comment
|
An attacker could use the one time password when he sees you typing it in.
It comes down to the question of timing. If he is a sophisticated attacker he might read the not hidden one time password and at the same time block your network connection before you hit enter. So he can read the OTP you are typing, hinder you from sending the form and use the OTP to login as you.
This might sound very awkward, but in our opinion a sincere OTP implementation should take care of this.
As @MechMK1 pointed out the OTP is - as the name suggests - only valid once. But the OTP is only invalidated when the server verifies it. And as mentioned, if the attacker can prevent you from sending the OTP to the server the otp is not invalidated and the attacker can use this very OTP before you.
answered Sep 28 at 23:12
cornelinuxcornelinux
1,6305 silver badges11 bronze badges
add a comment
|
An attacker could use the one time password when he sees you typing it in.
It comes down to the question of timing. If he is a sophisticated attacker he might read the not hidden one time password and at the same time block your network connection before you hit enter. So he can read the OTP you are typing, hinder you from sending the form and use the OTP to login as you.
This might sound very awkward, but in our opinion a sincere OTP implementation should take care of this.
As @MechMK1 pointed out the OTP is - as the name suggests - only valid once. But the OTP is only invalidated when the server verifies it. And as mentioned, if the attacker can prevent you from sending the OTP to the server the otp is not invalidated and the attacker can use this very OTP before you.
answered Sep 28 at 23:12
cornelinuxcornelinux
1,6305 silver badges11 bronze badges
add a comment
|
An attacker could use the one time password when he sees you typing it in.
It comes down to the question of timing. If he is a sophisticated attacker he might read the not hidden one time password and at the same time block your network connection before you hit enter. So he can read the OTP you are typing, hinder you from sending the form and use the OTP to login as you.
This might sound very awkward, but in our opinion a sincere OTP implementation should take care of this.
As @MechMK1 pointed out the OTP is - as the name suggests - only valid once. But the OTP is only invalidated when the server verifies it. And as mentioned, if the attacker can prevent you from sending the OTP to the server the otp is not invalidated and the attacker can use this very OTP before you.
answered Sep 28 at 23:12
cornelinuxcornelinux
1,6305 silver badges11 bronze badges
An attacker could use the one time password when he sees you typing it in.
It comes down to the question of timing. If he is a sophisticated attacker he might read the not hidden one time password and at the same time block your network connection before you hit enter. So he can read the OTP you are typing, hinder you from sending the form and use the OTP to login as you.
This might sound very awkward, but in our opinion a sincere OTP implementation should take care of this.
As @MechMK1 pointed out the OTP is - as the name suggests - only valid once. But the OTP is only invalidated when the server verifies it. And as mentioned, if the attacker can prevent you from sending the OTP to the server the otp is not invalidated and the attacker can use this very OTP before you.
answered Sep 28 at 23:12
cornelinuxcornelinux
1,6305 silver badges11 bronze badges
answered Sep 28 at 23:12
cornelinuxcornelinux
1,6305 silver badges11 bronze badges
answered Sep 28 at 23:12
cornelinuxcornelinux
1,6305 silver badges11 bronze badges
answered Sep 28 at 23:12
cornelinuxcornelinux
1,6305 silver badges11 bronze badges
1,6305 silver badges11 bronze badges
add a comment
|
add a comment
|
Thanks for contributing an answer to Information Security Stack Exchange!
- Please be sure to answer the question. Provide details and share your research!
But avoid …
- Asking for help, clarification, or responding to other answers.
- Making statements based on opinion; back them up with references or personal experience.
To learn more, see our tips on writing great answers.
Sign up or log in
StackExchange.ready(function ()
StackExchange.helpers.onClickDraftSave('#login-link');
);
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
StackExchange.ready(
function ()
StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2fsecurity.stackexchange.com%2fquestions%2f218735%2fwhy-do-many-websites-hide-input-when-entering-an-otp%23new-answer', 'question_page');
);
Post as a guest
Required, but never shown
Sign up or log in
StackExchange.ready(function ()
StackExchange.helpers.onClickDraftSave('#login-link');
);
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
Sign up or log in
StackExchange.ready(function ()
StackExchange.helpers.onClickDraftSave('#login-link');
);
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
Sign up or log in
StackExchange.ready(function ()
StackExchange.helpers.onClickDraftSave('#login-link');
);
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
6
When Facebook started to accept mis-capitalized passwords, some people expressed concerns on whether that was secure. If a site stops hiding input in a field named "password", the same controversy will ensue.
– Dmitry Grigoryev
Sep 27 at 20:44
1
Can you give example for sites? Facebook, Github, Azure, AWS, Google all show the digits.
– eckes
Sep 28 at 8:46
2
@eckes My bank's 3D Secure thing does it. Whenever I use my debit card, I get taken to that page (*.arcot.com). imgur.com/a/RNMr555
– PNDA
Sep 29 at 10:57
1
In a big form having lots of fields including the password field, a third party may see the password and submit it before the user does.
– frogatto
Sep 29 at 12:34
1
@eckes I've seen it in a few places including Natwest Online banking.
– Robin Salih
Sep 30 at 16:51