Display TOTP secret as full text in addition to QR code
planned
Michel Pawlak
After having activated 2FA for a user, when this one logs in for the first time, he has to setup TOTP. In order to do this, a QR code which contains the secret to set up TOTP is displayed.
Not all users want to use a mobile phone to handle TOTP. Desktop applications such as keepassxc also handle TOTPs and with current behavior one needs to take a screenshot and use a QRcode detector such as zbarimg to extract the secret. This is far from being user friendly...
Please display the secret in full text to make it possible to copy paste it and easily set up TOTP from inside keepassxc (or other similar desktop applications) Note that gitlab for instance does it this way.
Thanky you in advance.
Maritaria
Regarding @sudo's comment, I'd think of hiding the token initially.
Perhaps a reveal button or a clickable text saying "Unable to scan the QR code?" which then shows a panel with the token, a button to copy the token to the clipboard and a warning stating that the token is only to put into a password manager directly.
I'd avoid a lengthy educational warning text as at some point people won't even start reading the text.
Sudo
If this feature is implemented, a note would be important to never store TOTP token and password on the same device. Many users today use password managers on their PC. If the OTP token is stored on the device at the same time, the functionality could have been disabled.
Nicolas Giard
planned