Several requests/suggestions/questions

[Thunderschnozzle]

First, let me thank you for this amazing app. It is, in my honest opinion, the best authenticator app on the google store, and should get way more attention then it currently does. I have a few small issues/requests that I would like to suggest/inquire about. I quickly browsed through all the opened and closed issues to make sure none of these have already been discussed so apologies if I missed a similar issue. Also, if you'd like me to separate these into separate issues just let me know.

1. Can you please add 2 icons:

   • Bethesda ---> https://1000logos.net/bethesda-logo/ (the square icon at the bottom)
   • Windscribe ---> https://twitter.com/windscribecom (use their profile icon)

2. Can you add a sorting button at the top right corner, across from the category name, that will open a sorting menu when clicked upon. The menu will include 3 options:

   • Issuer (A--->Z)
   • Issuer (Z--->A)
   • Custom (this will be automatically selected if the user drags and drops any of the entries)

This will allow the user to quickly revert his/her entries back to alphabetic order if they moved a lot of them around using drag and drop

3. In Settings ---> Theme, can you please add 2 more options:

   • System default (AMOLED)
   • Dark mode (AMOLED)

If those options are selected the home page, Main Menu, and "+" menu will look just like the settings page. In the home page, just replace the grey background of each entry with pure black background and separate them with thin dimmed grey lines. In the Main Menu and "+" menu, replace the grey panel with pure black panel as well.

4. Can you add an option in the setting for the authentication codes to be hidden until the user taps on the one he/she wants to reveal. Also, add an option that will allow the user to chose how long the code will stay revealed after the user tapped on it.

5. If the user already entered a password in the Security section of the Settings and then uses the "Backup to encrypted file (recommended)" option, then, in addition to having a password field presented to them where they need to enter a password, they should also be presented with an option below that field that will allow them to use the same password from the Security section of the Settings. This will save the user from typing if they want to use the same password.

6. In each entry's 3 dots menu, can you add an option that will allow the user to change the 30 sec timer before a code changes. Also, add an option to change it for all entries at once.

7. In each entry's 3 dots menu, can you add an option(s) to display the QR code and/or secret key for that entry. That would be a nice alternative to the HTML file backup (though I'm not sure how complicated this would be to implement)

8. If the user has set up the Biometric Unlock option, can you change its implementation so that every time the fingerprint prompt appears on the screen it will not have the prompt to enter a password or fingerprint appear behind it. Instead, the user should only see the fingerprint prompt. Only if the user fails to enter a valid fingerprint (or hit the back button) should the prompt to enter a password appear on the screen.

9. Finally, I encountered a small bug. Sometimes (in most cases actually), after the successful scanning of a QR code and the subsequent creation of a new entry, an overlay appears on top of the entries in the home page. That overlay is the place holder that the user sees after launching the app for the first time. I don't have a screenshot so I'll just describe it in words:

---

(icon in the form of a blue key on grey circle)

Nothing Here! 

If you're new to Authenticator Pro, view the 
getting started guide by clicking below


GETTING STARTED GUIDE
IMPORT FROM OTHER APPS

---

This overlay can easily be dismissed by going to the Settings and then returning to the home page, so it's not that big of deal. Just though you'd like to know.

Alright, that's all I've got. Thanks for listening to my long rant and keep up the good work the makes this such an amazing app!

[luaxlab]

Comment (as a non-dev of the app)

• 1 I could do this, However Windscribe completely prohibits the use of their branding materials so one should get in touch with them first.
  EDIT: And how about the bethesda small icon

• 3 I'm a huge fan of OLED-Dark-Mode, however I don't get what the benefit of this would be. The energy savings from blackish gray to black are negligible, and on the other hand it would introduce more-visible tearing. If one were to implement this, I'd give it a rather low priority.

• 5 Totally agree, +1

• 6 I don't get why you should be able to change the validity time afterwards. I don't know of a service that supports this, and I'd consider it unsafe as you could easily loose access if you're not quite sure what you're doing.

• 8 This depends on your OEM/Android's implementation. As an example, in previous android versions, a full screen dialog would be shown, whereas on more modern android versions there is only an overlay. However, it's a de-facto standard to show the password box in the background.

As I said, those are just my thoughts on this, I'm not the main dev here.

[Thunderschnozzle]

1. Hmm... I haven't even though of that. I saw the Private Internet VPN icon and so I assumed all VPN allow the use of their icons for this kind of purpose. My bad. I guess the only way to have an icon is create a custom one then. Oh well. Maybe I'll try to do that at some point. As for the bethesda dmall icon, it look like an inverted version of the actual icon on a black background, so I'm not sure about that. You can find the icon I suggested by simply searching "bethesda brand logo"

2. You're right, the energy saving when going from grey to black are negligible. I'm more interested in the pure aesthetics of the resulting contrast. I'm not sure what you mean by visible-tearing, but I would agree that it's a low priority for me as well.

3. I'm a bit confused about the your argument since I admit I'm not really sure how authentication apps and TOTP work. I was under the impression that the app uses an algorithm to generate offline the codes based on the secret key + current time at which the code was generated. The user than enters the code into a field and the code is checked in a way that involves the secret key somehow, but I'm not sure how exactly. I do remember being able to successfully use codes on websites on many occasions a few seconds after the authenticator pro has already generated the next code. That's why I though the time is a flexible parameter. Is the problem that it has to be 30 seconds timer or can the timer be of any length, you're just not allowed to change it after it is set. Anyways, no big deal. I can live with 30 seconds time for all entries 👍

4. Yeah, I'm using android 10 so that's why I have to deal with the overlay. However since the password box in the background is under the dev control, then I would assume it is possible for him to only present it to the user if Biometric Unlock option is not enable (even if it goes against standard practices). Again, this is another one of those issues that only bothers me aesthetically.

Thanks for detailed response

[luaxlab]

To explain no. 3 a little further:

The reason that you can use "old" and new codes is that the server does not only check against current code, but also e.g. two past and two future codes. So in theory you have about t-2t seconds to enter the code, where t is the validity period.
The validity period actually tells how to "round" the current time. So by default, the time will be rounded to 30 seconds (so it doesn't matter whether it is 07:30:02 or 07:30:25, they'll be both rounded to 7:30:00).
This isn't a very good explanation, if you want to know how it actually works you can read the IETF RFC

[Thunderschnozzle]

Yeah... tried to read that. I'm afraid it goes a bit over my head. But, from what I was able to gather, the reason for said "rounding" is to compensate for any lag in communication between the user client and the server. And the recommended 30 sec validity period is to strike a balance between usability and security. Too short and the user won't have enough time to enter the code. Too long and the window of opportunity for bad actors to intercept the code becomes to big for comfort. Ok. 30 seconds it is then. Thanks for taking the time to explain this. Much appreciated!

[Schokobecher]

Regarding the Windscribe icon:
We are clear to use it for this purpose. It's the same discussion there was regarding Mario as an icon.
This kind of use is considered fair use. We are neither pretending to be affiliated with Windscribe nor are gaining benefits from boasting their logo, we are simply describing/referring to them. In their ToS, they also restrict usage of the name of the company, which we breached by now...

The company name, the company logo, and the product names associated with Windscribe are trademarks of company or third parties, and no right or license is granted to use them.

Besides that, I don't think they got a commercial license to feature the Doge imagery for their Twitter banner... but that's something else :)

As always @jamie-mh has the last word on this, but if he doesn't object I (or @luaxlab ) would integrate both
I've already dropped them an email, but since they hide behind Garry, their chatbot I don't expect too much 😅

[jamie-mh]

Hi everyone,

1. Yeah, this is always a tricky one. The wording of their terms and conditions seems stricter than most. Perhaps skip this one just in case they decide to sue lol. Unless given explicit permission of course.

2. Maybe, it's hard to tell how this would be implemented yet as regards to keeping the same ordering on the Wear OS app. I'll look into it though.

3. I'm not opposed to a "very dark" theme. I will think about it.

4. I see this feature in many places, but excuse my ignorance, I simply don't understand the point. If someone was looking over your shoulder with the app open, they would need to know your password and login within at most 30 seconds. 2fa codes aren't as sensitive as passwords really.

5. Why not, although, the app password and backup password is not necessarily the same. The UX should reflect this somehow.

6. Indeed, @luaxlab is correct. The server accepts codes within +/- 30 seconds of validity to account for out of sync time and latency. Increasing the period on the app end would just increase the likelyhood of the codes being invalid.

7. Yeah sure.

8. Does it really matter if the password field is visible if it's out of focus? What's the benefit in hiding it? For aesthetics?

9. I know what you mean, this has bugged me for a while. I still need to look into it.

[Thunderschnozzle]

Hi everybody,
Thanks for all the quick and very thorough replies.

1. Yeah, I wouldn't expect much of Garry either. I usually communicate with Windscribe over their Reddit page. I dropped them an inquiry about this subject here. We'll see if they respond.

2. I actually love the way the app sorts the entries by default (Issuer name, A--->Z, followed by Username, A--->Z, if I understand it correctly). It makes perfect sense. I just though a quick way for the user to undo all the dragging and dropping would be nice. Maybe a "restore default" button or something like that, idk.

3. Awesome 👍. Like I told @luaxlab though, not a high priority. Only if you have the time.

4. Yeah, I guess even in today's ubiquitous surveillance cameras world, that would be a bit too paranoid. Fair enough.

5. Cool. And yeah, I know that "the app password and backup password is not necessarily the same". That's why I suggested it should be "an option below that field" ;)

6. Understood.

7. Thanks.

8. Yeah, it's purely for aesthetics reasons. Although (and I admit to being completely ignorant on the matter) I do wonder if the app's clearing of the password field before loading the home page cost a bit in terms of initial load time. Do you think having the password field appear only if it's actually needed would speed up the loading time in any significant way? If not, then don't bother.

9. Nice to know. I though the problem was on my end since no one posted an issue about it. Like I said, it's just a minor annoyance.

[Thunderschnozzle]

Just got the new update. Man I wish the Google Store allowed me to give you more the 5*.
The new features are exactly what I wanted. Thank you 👍

[Schokobecher]

Winscribe replied:

Hi there,

Thank you for contacting Windscribe Support.
If you are inquiring about a partnership or would like to work with Windscribe in some capacity,
please contact partnerships@windscribe.com and someone will get back to you as soon as possible.
We appreciate your interest in Windscribe.

Sincerely,
Krishna

Guess they did not understand.

[Thunderschnozzle]

Sounds like an automated response 😄

[Schokobecher]

Guess their automation only runs every 2 weeks then 😄
Oh well, I don't have the energy to fight for this icon, so it's dead to me.

[Thunderschnozzle]

That's alright. Thanks for trying. Much obliged 👍

[stale]

This issue has been automatically marked as stale because it has not had recent activity. It will be closed if no further activity occurs. Thank you for your contributions.