freeotp / freeotp-android Goto Github PK

Reported by misc on 24 Dec 2013 16:56 UTC
Hi,

I was wondering if the requirement for freeotp could be lowered ( ie, right now, it ask for android > 3.X and this excludes at least my mobile, running android 2.3.4 ).

Reported by maxandersen on 12 Jun 2014 07:44 UTC
I think it could make FreeOTP easier to find and more consumable if

a) Update screenshots to show github, Facebook, vpn, etc. names instead of generic "Company XYX"

b) Make the text describing the features more about what you can do with it over what specs it implements (Compare google authenticator description vs. freeotp description - ours is for a geek, googles is for a human ;)

c) the "Support" links to freeotp page which says use mailing list which archives are mainly spam - can we fix/clean that up ?

..and maybe add "Authenticator" into the name so it shows up more prominent when searching ?

Reported by mathstuf on 21 Sep 2014 17:18 UTC
I made a malformed URL and tried to scan it with FreeOTP and got a crash:

otpauth://totp/?secret=...

I'm guessing that the username is assumed to be non-empty somewhere.

Reported by henkdepenk on 19 Jun 2014 11:51 UTC
I was testing the app (version 1.4 (13)) and accidently created a wrong QR code for:
otpauth://totp/GL2=secret=KRUGS42JONAVIZLTOQFA====

ORSXG5DBONVWY2TMONSGMCQ=

This should generate a message "invalid qr code" or something. Instead it crashes the app.

I tried eight times, I could reproduce the problem every time.

Reported by afflux on 3 Jan 2014 11:30 UTC
By adding an intent-filter for android.intent.action.VIEW with <data android:scheme="otpauth" /> users can add tokens using their preferred method of input (eg. click on an otpauth:// link, scan QR tags using their own scanning app, ...). Just need to check getIntent() in the activities onResume() (or something) if it is ACTION_VIEW and contains a otpauth:// URL, which then can be passed to tokenURIReceived()

Reported by eparis on 10 Jun 2014 12:54 UTC
I would love to get an android widget which exposes the key on the homescreen. Why should I have to open the app just to see my keys?

Reported by npmccallum on 16 Dec 2013 15:32 UTC
None

Reported by antontsyganenko on 9 Sep 2014 17:20 UTC
when I scan a text qr code I get a message "Unfortunately, FreeOTP has stopped."

Reported by jfenal on 12 Dec 2013 07:56 UTC
Transifex is the localization platform of choice for Fedora projects and many others.

Transifex handles XLIFF files used by Android for localization, as well as Apple .strings files.

Setting up FreeOTP on Transifex will ensure that localization is available broadly to the Fedora community which has extensive localization experience, in both documentation and software, way beyond the only iOS or Android users.

One project for FreeOTP could handle multiple resources, where Transifex translation memory will also help to ease the work of translators: if the same string is in both apps, the first translated will make it available to the other app.

Proposed resources within the Transifex project:

• freeotp-ios
• freeotp-android
• freeotp-documentation

You will then be able to keep track of languages coverage and completion, and benefit from an extensive and experienced translation community dedicated to open source.

Reported by simo on 12 Dec 2013 16:21 UTC
Application data can be accessed on rooted devices or by getting access to backups (esp. on the cloud), it should be possible (and actually encouraged by a setup wizard on app. startup) to encrypt the data store, and decrypt it at application statrup via password/pin/gesture/biometrics/whatever :)

Reported by rubenroy on 21 Nov 2014 20:21 UTC
The storage access framework makes it simple for users to browse and open documents, images, and other files across all of their their preferred document storage providers. A standard, easy-to-use UI lets users browse files and access recents in a consistent way across apps and providers.

Reported by emmanuelbernard on 25 Jun 2014 12:57 UTC
Steps to reproduce:

• Attach a custom icon to a given entry.
• Remove the picture from the Camera Roll (and Photo Stream)
• Reopen FreeOTP

=> the icon is either back to the default or to some random icon from another entry.

Reported by acd on 2 Dec 2014 19:33 UTC
When scanning a QR code, the on-screen image is flipped on both axes relative to the phone, making it difficult to center the code on the screen.

This behavior is observed on a 64G Nexus 6 running Android 5.0 build LRX210.

Reported by andy753421 on 28 Jan 2014 08:06 UTC
I had to write some converter in bash/sed/dc just to get a Base32 encoded secret. It would be much easier to just use hex or decimal, at least as an option.

Reported by xdong on 5 Nov 2014 17:23 UTC

FreeOTP app on iphone6/6+ cannot recognize and scan the qr code generated.

Steps to reproduce:

1.add otptoken with qrcode option
~# ipa otptoken-add --type=totp --owner=one --desc="My soft token" --qrcode
2.Use FreeOTP to scan qrcode

Actual result: qr code could not get scanned

Expected result: qr code got scanned and token id got generated

Reported by anisse on 21 Nov 2014 10:25 UTC
The app crashes on Lollipop on start. Here is the logcat:

I/ActivityManager( 749): START u0 {act=android.intent.action.MAIN cat=[flg=0x10200000 cmp=org.fedorahosted.freeotp/.MainActivity bnds=276,871[540,1167](has extras)} from uid 10022 on display 0
I/ActivityManager( 749): Start proc org.fedorahosted.freeotp for activity org.fedorahosted.freeotp/.MainActivity: pid=7785 uid=10131 gids={50131, 9997, 3003, 1028} abi=armeabi-v7a
D/OpenGLRenderer( 7785): Render dirty regions requested: true
D/Atlas ( 7785): Validating map...
D/AndroidRuntime( 7785): Shutting down VM
E/AndroidRuntime( 7785): FATAL EXCEPTION: main
E/AndroidRuntime( 7785): Process: org.fedorahosted.freeotp, PID: 7785
E/AndroidRuntime( 7785): java.lang.IllegalArgumentException: The key must be an application-specific resource id.
E/AndroidRuntime( 7785): at android.view.View.setTag(View.java:17185)
E/AndroidRuntime( 7785): at org.fedorahosted.freeotp.BaseReorderableAdapter.getView(BaseReorderableAdapter.java:101)
E/AndroidRuntime( 7785): at android.widget.AbsListView.obtainView(AbsListView.java:2344)
E/AndroidRuntime( 7785): at android.widget.GridView.onMeasure(GridView.java:1060)
E/AndroidRuntime( 7785): at android.view.View.measure(View.java:17430)
E/AndroidRuntime( 7785): at android.widget.LinearLayout.measureVertical(LinearLayout.java:875)
E/AndroidRuntime( 7785): at android.widget.LinearLayout.onMeasure(LinearLayout.java:613)
E/AndroidRuntime( 7785): at android.view.View.measure(View.java:17430)
E/AndroidRuntime( 7785): at android.view.ViewGroup.measureChildWithMargins(ViewGroup.java:5463)
E/AndroidRuntime( 7785): at android.widget.FrameLayout.onMeasure(FrameLayout.java:430)
E/AndroidRuntime( 7785): at android.view.View.measure(View.java:17430)
E/AndroidRuntime( 7785): at android.view.ViewGroup.measureChildWithMargins(ViewGroup.java:5463)
E/AndroidRuntime( 7785): at com.android.internal.widget.ActionBarOverlayLayout.onMeasure(ActionBarOverlayLayout.java:447)
E/AndroidRuntime( 7785): at android.view.View.measure(View.java:17430)
E/AndroidRuntime( 7785): at android.view.ViewGroup.measureChildWithMargins(ViewGroup.java:5463)
E/AndroidRuntime( 7785): at android.widget.FrameLayout.onMeasure(FrameLayout.java:430)
E/AndroidRuntime( 7785): at com.android.internal.policy.impl.PhoneWindow$DecorView.onMeasure(PhoneWindow.java:2560)
E/AndroidRuntime( 7785): at android.view.View.measure(View.java:17430)
E/AndroidRuntime( 7785): at android.view.ViewRootImpl.performMeasure(ViewRootImpl.java:2001)
E/AndroidRuntime( 7785): at android.view.ViewRootImpl.measureHierarchy(ViewRootImpl.java:1166)
E/AndroidRuntime( 7785): at android.view.ViewRootImpl.performTraversals(ViewRootImpl.java:1372)
E/AndroidRuntime( 7785): at android.view.ViewRootImpl.doTraversal(ViewRootImpl.java:1054)
E/AndroidRuntime( 7785): at android.view.ViewRootImpl$TraversalRunnable.run(ViewRootImpl.java:5779)
E/AndroidRuntime( 7785): at android.view.Choreographer$CallbackRecord.run(Choreographer.java:767)
E/AndroidRuntime( 7785): at android.view.Choreographer.doCallbacks(Choreographer.java:580)
E/AndroidRuntime( 7785): at android.view.Choreographer.doFrame(Choreographer.java:550)
E/AndroidRuntime( 7785): at android.view.Choreographer$FrameDisplayEventReceiver.run(Choreographer.java:753)
E/AndroidRuntime( 7785): at android.os.Handler.handleCallback(Handler.java:739)
E/AndroidRuntime( 7785): at android.os.Handler.dispatchMessage(Handler.java:95)
E/AndroidRuntime( 7785): at android.os.Looper.loop(Looper.java:135)
E/AndroidRuntime( 7785): at android.app.ActivityThread.main(ActivityThread.java:5221)
E/AndroidRuntime( 7785): at java.lang.reflect.Method.invoke(Native Method)
E/AndroidRuntime( 7785): at java.lang.reflect.Method.invoke(Method.java:372)
E/AndroidRuntime( 7785): at com.android.internal.os.ZygoteInit$MethodAndArgsCaller.run(ZygoteInit.java:899)
E/AndroidRuntime( 7785): at com.android.internal.os.ZygoteInit.main(ZygoteInit.java:694)
W/ActivityManager( 749): Force finishing activity org.fedorahosted.freeotp/.MainActivity

I might have reordered my OTPs.

Looking at the documentation of setView, it seems FreeOTP is doing something wrong:
https://developer.android.com/reference/android/view/View.html#setTag%28int,%20java.lang.Object%29
Indeed, the key argument should be declared in the resources, but this is not the case here:
L33: private static final int KEY = BaseReorderableAdapter.class.hashCode();

It might also be related to ART, but I don't know.

Regards,

Anisse

Reported by stephenjudge on 8 Mar 2014 17:44 UTC
Many sites that offer two factor authentication offer a method to recover access to your account should you loose your authentication device, this is usually SMS authentication or a set of printable codes. However some sites and OTP implementations don't have such a feature and if you loose your authentication device, you loose access to your account.

An example of this is if you add the Google Authenticator plugin to a self-hosted Wordpress blog. The plugin does not provide a secondary method of authentication. In their FAQ there is this question:

"'''Can I create backupcodes'''?

''No, but if you're using an Android smartphone you can replace the Google Authenticator app with Authenticator Plus.
It's a really nice app that can import your existing settings, sync between devices and backup/restore using your sd-card.
It's not a free app, but it's well worth the money.''"

This proprietary app, Authenticator Plus, does look very nice and has some nice features, but the most beneficial I think is its ability to backup and restore codes.

This could be a huge addition to FreeOTP and I would like to request that someone considers this feature and looks at a way of implementing it. I am not able to code myself.

Reported by dpal on 8 Apr 2014 18:01 UTC

1. Open application on Android device
2. Select the token to display the code
3. Change orientation of the device

Expected:

Code remains visible

Actual:

Code disappears

Reported by oliversalzburg on 6 Oct 2014 09:10 UTC
When I scan this QR code on Android, the entry will be imported just fine. On iOS the camera will disappear and no entry will be added to the list.

[[Image(http://i.imgur.com/11WpJU9.png)]]

Reported by airwave on 1 Aug 2014 13:47 UTC
Yesterday I installed FreeOTP and added some OTPs to it. Today when I try to launch it, I get "Unfortunately, FreeOTP has stopped." Attached is a logcat for the crash. Please let me know if there's any more information I can help with.

Reported by andy753421 on 28 Jan 2014 08:00 UTC
CyanogenMod 10.2 (Android 4.3.1) on Motorola Defy

Reported by andy753421 on 28 Jan 2014 08:03 UTC
I entered the Issuer, ID, and Secret, and selected HOTP with 8 digits and they Add button was still greyed out. Now way to enable it so I hand to cancel.

CyanogenMod 10.2 (Android 4.3.1) on Motorola Defy

p.s. I don't know what Issuer and ID are supposed to be

Reported by till on 7 Aug 2014 22:22 UTC
There are JavaCard smart cards with NFC support that can be used with capable android devices. It would be nice if FreeOTP could use such a card to store the necessary secrets to make it even possible to use the android device to login to systems that should be protected with 2FA.

References[[[BR]([BR]]:
https://github.com/ph4r05/NFC-crypto)]
http://www.fi.muni.cz/~xsvenda/jcsupport.html

Reported by asrob on 12 Dec 2013 14:34 UTC
I would like to help in translating, that's why I would translate from English to Hungarian.

Will there be a Transifex project?

Reported by mhyzon on 24 Jun 2014 14:09 UTC
HOTP tokens disappear (at least on iOS) after 30 seconds like they are TOTP codes, There is no time constraint on HOTP codes. Could we either have a tunable timeout or no timeout on HOTP code display?

If you aren't quick enough to enter the code in your client (like you are distracted, or something), then you 'lose' the code. Do it enough, and sync with the server can be lost

Reported by goldmann on 28 Nov 2014 13:36 UTC
When we have many tokens that fill the entire screen on a phone, when we click to get the code generated on the last one on tje screen, the "copied to clipboard" message hides the code for a couple of seconds.

I should be able to read the code immediately.

Reported by mhyzon on 24 Jun 2014 13:49 UTC
I don't know if iOS or Android can do this, but it would be neat if the app could act as a bluetooth keyboard and send the token code to a paired computer

Reported by maxandersen on 12 Jun 2014 07:47 UTC
I copy the pin much more often than refreshing the key.

Could it be made so when the key is generated single touch copies the key ?

Or that on forced refresh it actually copies the key automatically to clipboard?

This is my main gotcha with FreeOTP compared to Google Authenticator (GA).

GA requires much less "pressing" and "holding" to use it compared to FreeOTP where I have to "hold" the key then select the Copy action to get the key.

Reported by npmccallum on 10 Jul 2014 17:19 UTC
It appears that the long-press UI is not always obvious to people. We should either devise an alternate UI trigger or have some way to educate users as to its availability.

Reported by gabeio on 22 Oct 2014 16:06 UTC
OS: iOS8
Phone: iPhone 6

Description: While entering an identical base32 secret on ios as android it does not take the secret the save button is still grayed out and will not take the key. Even with the issuer entered. I am positive it is a valid key as the android version of freeotp works with the same key.
type: TOTP
Interval: 30
Digits: 8
Alg: SHA1

Reported by jb1988 on 5 Mar 2014 19:48 UTC
After installing FreeOTP and adding 3 tokens, battery use is severerly impacted when the app is running in the background.

This has been confirmed using GSam Battery Monitor. The app can completely run down the battery overnight on the S4.

Reported by mathstuf on 19 Feb 2014 04:56 UTC
Just as a safety precaution :) .

Reported by simo on 12 Dec 2013 16:04 UTC
The F-droid repository is a repository of Free Software Apps for android.
Instructions here: https://f-droid.org/wiki/page/Inclusion_Policy

Reported by simo on 12 Dec 2013 16:07 UTC
Some servers give out unintelligible names that are hard to distinguish.
The user should be allowed to give a nickname to be displayed instead of the UUID so he can easily recoginze the right token.
Bonus point if the background of the tile can also be changed to a themed color for even easier recognition.

Reported by simo on 12 Dec 2013 16:05 UTC
To avoid shoulder surfing by others tokens should stay in inactive status until pressed.

Reported by aph3rson on 2 Oct 2014 06:30 UTC
I know that, in a number of different contexts in Android, different apps to use to upload/select an image are presented in a "Choose app..." menu when selecting an image for a task - e.g. a file explorer, the gallery app, etc. However, with FreeOTP, it seems as if it only shows the gallery app (and automatically opens it), without presenting any other options.

Is there a way around this? I would like to be able to use icons from my icon pack (applied through the CM Theme Engine) as pictures for my individual keys.

Reported by rkbuokbnz on 23 May 2014 20:03 UTC
On an iPhone with iOS 7.1.1 when adding more than 5 tokens, older tokens flow off the bottom of the screen and become unreachable without deleting tokens at the top.

Some sort of scrolling is needed to be able to reach additional tokens. Perhaps the location of tokens should be fixed and then swiping allows for scrolling through all tokens without reordering.

Marked as major only because it makes the app far less useful for heavy users.

Reported by grawity on 12 Feb 2014 16:34 UTC
If the scanned URI only has issuer in query parameters, but not as part of the label, then the issuer does not show up in UI.

Reported by mhyzon on 1 Aug 2014 18:24 UTC
I am not sure if this is actually a problem, but I wanted to bring it up.

I recently got a new iphone so I backed up my old iOS device and then restored to the new one. FreeOTP worked just fine on the new device as well as the old device.

Obviously, the seeds, etc are stored in in the backup file. IIRC, when I upgraded devices with google authenticator, I needed to create a new token, as the seeds were only stored locally on the device.

As much as this is a usability win, I would think it is a security fail since a fundamentally new device should be a fundamentally new token and get a new seed, IMO.

IE, I can imagine a user losing a device, reinstalling from backup, and never reporting the lost device and never disabling the 'old' token, thus the lost/stolen device is still out there and valid (more a problem for TOTP than HOTP, but still)

Reported by afflux on 3 Jan 2014 11:54 UTC
The issuer URI parameter is not being used. In org.fedorahosted.freeopt.Token I suggest the following change:

public String getIssuer() {
    if (mIssuerInt != null)
        return mIssuerInt;
    return mIssuerExt != null ? mIssuerExt : "";
}

Reported by npmccallum on 13 Dec 2013 14:49 UTC
Currently if the user attempts to add a token that already exists, we silently ignore it. Instead, we should:

• detect the token already exists
• prompt the user for permission to overwrite (with stern warning)

There is no security issue here, but it would be helpful to have a better UI.

Reported by zeip on 28 Dec 2013 23:43 UTC
It'd be great if FreeOTP was ported for Sailfish also; currently there's no native app for TOTP authentication and FreeOTP is the best app there is for that :)

Reported by sochotni on 28 Aug 2014 12:02 UTC
During application switching custom icons flash for a second (reloading?). For some reason this flashing doesn't happen on the first (top-most) OTP.

I can provide more info if needed

version: 1.5 (first with custom icons)

Reported by dgilbert on 29 Sep 2014 10:08 UTC
The QR code for me was never recognised; it went into camera mode, showed the white outline box and a circular spinner, but it never accepted it even after ~30s of holding it still; it looked clear in the onscreen image.

Phone: Oppo Find 7 (Using the back camera)
OS: Cyanoganmod 11 (Android 4.4.4)

FreeOTP 1.5 (15)

Reported by adelton on 1 Apr 2014 13:59 UTC
When I set the font size to huge on my Moto G, the bottom of the password (the six digits) is obstructed. It looks like the space for the password does not scale as it could.

Reported by vinaur on 28 Aug 2014 00:26 UTC
With the recent switch to automatic copying of OTP when tapped, the Copy option has been removed from the menu. This is confusing to the user, because it is not obvious that the app copies the OTP to clipboard automatically and there is no explicit way of copying the OTP.

I suggest that FreeOTP displays a toast notification (not sure what the equivalent would be for iOS or if this is even an issue there) when the OTP is copied to clipboard. It could read something like "OTP copied to clipboard"

Reported by abbra on 23 Dec 2013 16:06 UTC
When attempting to scan QR code on Samsung Galaxy S4 mini, I noticed that camera preview shows the viewfinder upside-down and turned from left to right. It makes close to impossible to focus on the QR code.

Previous versions of FreeOTP had no such problem on the same phone. Unfortunately, I did not notice when the change happened.

Reported by dpal on 21 May 2014 18:40 UTC
Comes from FreeOTP feedback.

Reported by simongreen on 8 May 2014 12:10 UTC
It seems tokens are shown with the newest one at the top. Unfortunately this means the one I use most often (Red Hat's) is longer visible without scrolling. It would be good if you could reorder the tokens somehow, or move the last used one to the top or something.

Reported by emmanuelbernard on 25 Jun 2014 12:59 UTC
Most icons will be the logo of the OTP provider (Google, Dropbox etc etc).
The current step is to copy the image to the camera roll and then select it.
It would be nice to be able to point to a URL and have FreeOTP copy the image.

Icons is an awesome feature BTW, it makes it faster to find the right OTP in a big list.