It's quite interesting, and an impressive implementation.
That's a valuable testimonial for me, thanks.
The only thing that disturbs me is that URL...
otpauth://totp/admin::http://localhost/revo231//revo231/working/?secret=H5BOBZZ2F7PUJ5RI&issuer=Revo+2.3.1+Local (and three odd characters followed, that the Forums didn't like at all)
Notice the duplication of the subdirectory /revo231/
Could this be because I'm using it in a subdirectory installation? A lot of extras that generate URLs have a problem with that particular corner-case at first.
That's a cosmetic issue in my code, please neglect it, it has absolutely no effect on the functionality; but
(you can create an issue on github for that) I will fix it then
I would think that anybody security-conscious enough to use this would have his and his Manager users' email encrypted with GPG or something, in which case sending the squiggly square thing by email wouldn't be a problem.
As i told you in the PM I'm a security expert, so from security standards perspective, sending the secret by email is the worst and most wrong thing to do. I implemented the courtesy login which should be the way to go, and planning to remove emailing the secret (QR-code) functionality in a future release.
I wanted to change many things, but from the nature of my job, i would never be satisfied with the code which will end up that it won't be ever released, so i made this release candidate, and will improve things in the future. As said, all depends on the interaction from users about this extra, if the community will be interested i will improve things rapidly and frequently.
The desktop app is broken on OS X 10.
Firefox add-on here https://marketplace.firefox.com/app/gauth-authenticator/
Well, apparently it's not actually a browser add-on, it's a desktop app to generate the keys every 30 seconds.
I never used the desktop apps or browser extensions, this is totally not secure at all, i mentioned them for the sake of presentation. only, a mobile device should be used for the sake of security. Because: Mobile devices application can store data in secure storage which only that app can access
(with exceptions) so most malware won't be easily stealing the secret.
Please submit all your ideas, defects, concerns, and feature requests on github, from there I will be able to track and improve.