Jump to content

Remove "HiddenGoogleSecretKey" from HTML Source


Recommended Posts

While looking through the HTML source I noticed that each user's "HiddenGoogleSecretKey" is displayed in plain text.

 

Sure the admin already has privileged access to the system and "could" change/reset this value but I think it would be best practice for only the end-user to ever have access to the secret value.

 

Was this intended or is there not a concern for this value being visible to administrators?

 

image.png.f08cae4a3aa12cb3cb2b34da76f132be.png

 

image.thumb.png.003634de875fc4b53f9c2e84cfb05354.png

Link to comment
Share on other sites

Hi ParrishK,

 

We've just updated this in one of the latest builds, and the secret is no longer visible to Security Admins.  Please see screenshot below.  Security Admins can now clear the key, which will generate a new QR code the next time the user logs into Passwordstate.  We've made this change to YubiKey, One Time Password and Google Authenticator authentication types.

 

2019-04-16_7-56-07.png

 

 

If you can perform an upgrade this issue will be fixed:)

 

Regards,

Support

Link to comment
Share on other sites

Archived

This topic is now archived and is closed to further replies.

×
×
  • Create New...