[
https://issues.apache.org/jira/browse/GUACAMOLE-1689?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17610985#comment-17610985
]
Nick Couchman commented on GUACAMOLE-1689:
------------------------------------------
I'm not sure this change is worth the extra work, for a couple of reasons:
* I use both Google Authenticator and Microsoft Authenticator for dozens of
accounts on a routine basis, and I would say that _most_ of the accounts have
the username or account name as part of the account. This includes most of the
popular sites - Google, Github, AWS, Microsoft, etc.
* You can relatively easily rename the accounts within the various
authentication applications after you add them (or, sometimes, when you add
them), so if you're concerned about "data leakage" you can just counsel users
to be careful when they first add it and then go in and change it immediately.
Just my opinion - [~mjumper] or [~jmuehlner], thoughts?
> TOTP - add property to remove (username) from Authenticator setup
> -----------------------------------------------------------------
>
> Key: GUACAMOLE-1689
> URL: https://issues.apache.org/jira/browse/GUACAMOLE-1689
> Project: Guacamole
> Issue Type: Improvement
> Components: guacamole-auth-totp
> Affects Versions: 1.4.0
> Reporter: Vincent Sherwood
> Priority: Minor
>
> When enrolling a user for TOTP, the barcode uses the text from the configured
> totp-issuer (or the default "Apache Guacamole") and appends " (username)"
> when creating the new entry in the Authenticator App. For example
> totp-issuer DevTest
> {quote}DevTest (bloggs_joe)
> 123456
> {quote}
> This leaks valuable information (their username for the system) to anyone who
> might catch sight of a user's authenticator.
> For security conscious users it would be good to add an option in the config
> file to hide the username
> # totp-hideuser - Flag to hide username from generated authenticator entry.
> Set value to 1 to hide the username. (Default 0)
> totp-issuer DevTest
> totp-hideuser 1
> {quote}DevTest
> 123456
> {quote}
--
This message was sent by Atlassian Jira
(v8.20.10#820010)
