Open
Description
Some sites have a rather short timeout when registering the TOTP 2FA, and when restarting that process, a new secret is generated.
This leads to problems like this:
- You start the TOTP 2FA registration process on (say)
evil.com. - You scan the QR code with Aegis, adding a TOTP entry for evil.com
- You want to write down (or type it on your desktop PC) the secret code shown in Aegis (which takes some time)
- When you are done (and safe), you want to enter the 2FA response to
evil.com - However the registration procedure has timed out (and your entry in Aegis is now an orphan)
So you decide to do it again, trying to be faster. However when scanning the QR code, another entry for evil.com is being created (with a different secret), and it's hard to tell "who's who" (other than trying each response) viewing the list.
So I suggest this enhancement:
- If a QR code results in an entry whose name exists already, don't silently add another one, BUT
- ask whether the existing entry with the same name should be updated with the new secret (also giving a warning about the consequences)
- OR whether to create a new entry with a different name (either adding a suffix like "
# 2" automatically, or letting the user edit the name)