Race to enter Authenticator code into Android app #170
Comments
|
Not applicable to this product. Please reopen in https://github.com/google/google-authenticator-android if applicable. |
|
Comment #1 originally posted by jseder on 2012-04-27T17:18:22.000Z: On reflection, I recognize that the problem and proposed solutions are really outside the scope of Authenticator. But one might fly: Another small help would be to add a button to copy the Authenticator code to the clipboard. |
|
Comment #2 originally posted by adhintz@google.com on 2012-04-27T17:36:18.000Z:
If you long-press on a code in Authenticator, a context menu should appear to let you copy the current code. To long-press, put your finger on the screen and then keep your finger on the screen for a couple seconds. It's roughly the equivalent of right-clicking. |
|
Comment #3 originally posted by markus@google.com on 2012-04-27T18:06:57.000Z: Also, while this is not necessarily well-known, Android has a feature for quickly switching between applications. On older devices, you need to press-and-hold the "Home" button. On newer devices, there is a dedicated button. This should allow you to quickly get back to the previous application where you can now paste the code that you got from the Authenticator. Pasting is enabled by long-clicking into a text field. Having said that, there are things that could be done to make switching to and from Authenticator easier. If we (optionally) allowed for Authenticator to show up in the global pull-down shade, that could be a way to avoid ever having to switch applications. Unfortunately, I don't really know much about the Android API. I think, this is really only possible with Icecream Sandwich or above. |
|
Comment #4 originally posted by wikiwify on 2012-06-13T10:46:17.000Z: More complex situations might involve a program that runs automatically that similarly requires authentication to get at the data it needs, but there's no human around to log in for them. An authenticator token must be prepared in advance that this program uses. Thanks for sharing. |
|
Comment #5 originally posted by klyubin@google.com on 2012-06-13T17:03:58.000Z: Thanks for the report! There are a number of different points I would like to cover. Firstly, in the ideal world, Android applications should not be asking for credentials -- they should use accounts/credentials configured in the AccountManager (Accounts & Sync). Otherwise the risk of phishing is increased as users are trained to enter their credentials into various apps without thinking. That said, when adding an account to the Account Manager or when reauthenticating an Account Manager account, you may still need a code (as illustrated by Google accounts with 2-step verification enabled). As previous posters have already pointed out, you can switch to Authenticator, copy the code, and switch back to Account Manager. Moreover, although time-based codes refresh every 30 seconds, they remain valid for a couple of minutes (to give the user some leeway when entering them and to accommodate devices whose time is not precise). Thus, don't be afraid to copy a code that's about to disappear. As to permitting other applications to request codes from Authenticator (including via "input method"), it raises a number of security concerns which are hard to mitigate without adding additional permissions prompts which in turn may enable malware to steal codes/credentials. |
|
Comment #6 originally posted by jaffa.wify on 2012-06-18T07:35:18.000Z: Financial businesses include banks and other companies that generate profit through investment and management of capital. Thanks. |
|
Comment #7 originally posted by csearle1960 on 2013-09-21T14:04:28.000Z: I had the same problem. My work-around was this: |
|
Comment #8 originally posted by shah@google.com on 2014-01-14T06:07:30.000Z: <empty> |
|
Comment #9 originally posted by dmehus on 2014-01-16T19:29:14.000Z: I believe I've encountered a similar issue that is described above. While Google Authenticator provides excellent two-factor authentication when verifying your login credentials for a particular supported website (i.e., a Google-owned service) on ANOTHER device, I had recently changed my Google password on my Samsung Galaxy Tab 2 Android tablet and so a notification came up I was required to re-enter my Google password. I have Google Authenticator set-up as my "primary" code delivery mechanism and, when I tried to switch to that app, I can receive the code but that results in me losing the "verify code" screen of my Gmail app. So, it resulted in somewhat of an "infinite loop" of me going back and forth between Authenticator and Gmail app "verify code" login screen. An alternative, as far as I can see, include having Google (and any Authenticator-supported website) have a link that immediately opens the Authenticator app, allowing you to see the code but then the Authenticator app would need an update to it with a link that says something like, "return to the previous screen to enter verification code," or something like that. Does that make sense? Also, the time limit for code entry seems rather short. I was prompted to enable two-factor authentication and download Google Authenticator, in part, because my previous financial institution (HSBC in Canada) has a two-factor authentication-based hardware device from VASCO (called the "HSBC Security Device"). That device requires you to enter a four- to eight-digit PIN then generate a six-digit code that generate lasts 60 to 120 seconds, I believe. A longer time limit in that sphere would be appreciated. Cheers, |
|
Comment #10 originally posted by jseder on 2014-01-16T22:28:49.000Z: Responses # 2 and # 3 resolved this issue for me. As for the time to enter the code - this is up to the application developer, but typically you get a reasonable window, like three minutes - the server checks your code against six valid codes centered on the server's current time - to allow for delay in entering data and for slightly inaccurate clocks. |
|
Comment #11 originally posted by danielle.bartlette on 2014-03-11T01:40:41.000Z: I'm lost. I tried sending numerous photos (individually) from my HTC gallery using my gmail address with no success because it's asking me for a password (google authenticator password). I've finally figured out how to get a password but with the time limit, I cannot make it in time to log in before the time runs out. It seems the numerous 'ding' notifications I receive from my unsent mail takes longer than the whole time limit allowed to log in...every time this happens and I've tried to sign in about a dozen times. How can I get passed this because I am thinking this is the most unnatural process? |
Original issue 171 created by jseder on 2012-04-27T16:59:01.000Z:
Certain Android apps request an Authenticator code after requesting userid and password. As far as I can tell, I must either use a 2-step recovery code (if I have one handy), or engage in a race: open Authenticator and note the code (perhaps waiting until the clock cycles), open the app, enter userid and password and Authenticator code all within the short time limit. This is crazy.
What steps will reproduce the problem?
What is the expected output? What do you see instead?
Either (1) suppress Authenticator requests when using the Android device on which the Authenticator is authorized, or (2) fetch the code from the Authenticator app without user action, or (3) all Authenticator as an "input method", (4) or something else.
What version of the product are you using? On what operating system?
Authenticator 2.15, Android 4.0.4
Please provide any additional information below.
The text was updated successfully, but these errors were encountered: