Details
-
Improvement
-
Status: Closed
-
Minor
-
Resolution: Won't Do
-
1.4.0
-
None
-
None
-
Important
Description
When enrolling a user for TOTP, the barcode uses the text from the configured totp-issuer (or the default "Apache Guacamole") and appends " (username)" when creating the new entry in the Authenticator App. For example
totp-issuer DevTest
DevTest (bloggs_joe)
123456
This leaks valuable information (their username for the system) to anyone who might catch sight of a user's authenticator.
For security conscious users it would be good to add an option in the config file to hide the username
- totp-hideuser - Flag to hide username from generated authenticator entry. Set value to 1 to hide the username. (Default 0)
totp-issuer DevTest
totp-hideuser 1
DevTest
123456