Under Review

Yubikey OTP should be masked, clicking login shouldn't make the OTP not work

zackf 7 years ago updated by anonymous 7 years ago 4

We use YubiKeys for our OTP dual factor authentication. On every other product that I've used Yubikey on(Gmail, LastPass, etc.) it enters the OTP masked as asterisks or dots. With Screen Connect it enters it as plain text, and also takes 10 seconds or so to login after the Yubikey does the carriage return which has lead to our users trying to click login which causes it to not accept the OTP. My expected behavior would be that when using the Yubikey for OTP it would enter it asterisk'd out, and would either immediately login, or when clicking login it would accept the OTP. There isn't any logical reason that clicking login before Screen Connect has taken the Yubikey OTP would make the OTP not work. I started a support ticket and was told it was functioning as intended which seems strange since it functions different than every other 2FA product I've ever used. I really appreciate any help on this!

I don't understand why this isn't already implemented. It seems essential to me and basic security best practices. 

Hi Zack,

Quick update:

We can work on masking the authentication key in the one time password field. We cannot do much to speed the login process up once the key is submitted because at that point we are waiting on Yubikey for a response. 

Hi Kirsten,

Thank you for your response!  Masking the authentication key in the one time password field would be great.  I understand that there is no way to speed up the login process, but would there be any way to prevent the user from clicking login prior to the one time password response being received from Yubikey?  My concern isn't the time it takes to login, but that if the user clicks login in the time frame between using the Yubikey and it logging in it invalidates the one time password and gives them an error.   If not, it's not a huge deal, but we've already had a few users in our organization come to me stating their account wouldn't login and that was the issue, so I'd imagine other organizations run into it as well.



Not a problem. I registered the request internally, since this request bundles two enhancements, and will discuss the idea with our dev team to see what is possible. When I have an update I'll notify you.