[chias]

Huh. I remember a while ago Google Authenticator hid TOTP codes until you tap on them to reveal them. I remember thinking this was an absolutely stupid feature, because it did not mitigate any real threat and was annoying and inconvenient. Apparently a lot of people agreed because a few weeks later, Google Authenticator quietly rolled that feature back.

I wonder if they were aware of this flaw, and were mitigating the risk.

[tabbott]

They could have made it a setting, with an explanation of the security benefits of it, so that folks who are paranoid can take advantage of it.

A relevant threat scenario is when you're using your phone in a public place. Modern cameras are good enough to read your phone screen from a distance, and it seems totally realistic that a hacked airport camera could email/password/2FA combinations when people log into sites from the airport.

Ideally, you want the workflow to be that you can copy the secret code and paste it, without the code as a whole ever appearing on your screen.