[
https://issues.apache.org/jira/browse/GUACAMOLE-1689?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17611151#comment-17611151
]
Mike Jumper commented on GUACAMOLE-1689:
----------------------------------------
I agree - not only is this widely-implemented standard practice, but it's
specifically required by the {{otpauth://}} URI format that dictates the QR
code: https://github.com/google/google-authenticator/wiki/Key-Uri-Format
I don't think we should deviate from the standard. We should always provide
exactly the data required by a standard to properly meet the expectations of
implementations of that same standard. Meanwhile, authenticator apps that also
implement that standard should consume and use that data in the manner they
deem best.
> TOTP - add property to remove (username) from Authenticator setup
> -----------------------------------------------------------------
>
> Key: GUACAMOLE-1689
> URL: https://issues.apache.org/jira/browse/GUACAMOLE-1689
> Project: Guacamole
> Issue Type: Improvement
> Components: guacamole-auth-totp
> Affects Versions: 1.4.0
> Reporter: Vincent Sherwood
> Priority: Minor
>
> When enrolling a user for TOTP, the barcode uses the text from the configured
> totp-issuer (or the default "Apache Guacamole") and appends " (username)"
> when creating the new entry in the Authenticator App. For example
> totp-issuer DevTest
> {quote}DevTest (bloggs_joe)
> 123456
> {quote}
> This leaks valuable information (their username for the system) to anyone who
> might catch sight of a user's authenticator.
> For security conscious users it would be good to add an option in the config
> file to hide the username
> # totp-hideuser - Flag to hide username from generated authenticator entry.
> Set value to 1 to hide the username. (Default 0)
> totp-issuer DevTest
> totp-hideuser 1
> {quote}DevTest
> 123456
> {quote}
--
This message was sent by Atlassian Jira
(v8.20.10#820010)
