parrishk Posted April 15, 2019 Report Share Posted April 15, 2019 While looking through the HTML source I noticed that each user's "HiddenGoogleSecretKey" is displayed in plain text. Sure the admin already has privileged access to the system and "could" change/reset this value but I think it would be best practice for only the end-user to ever have access to the secret value. Was this intended or is there not a concern for this value being visible to administrators? Link to comment Share on other sites More sharing options...
support Posted April 15, 2019 Report Share Posted April 15, 2019 Hi ParrishK, We've just updated this in one of the latest builds, and the secret is no longer visible to Security Admins. Please see screenshot below. Security Admins can now clear the key, which will generate a new QR code the next time the user logs into Passwordstate. We've made this change to YubiKey, One Time Password and Google Authenticator authentication types. If you can perform an upgrade this issue will be fixed:) Regards, Support parrishk 1 Link to comment Share on other sites More sharing options...
Recommended Posts