Android may soon stop users from leaking their 2FA codes on the lock screen

It's going to take a while for everyone to switch over to passkeys, so in the meantime, we still have to contend with the fact that a lot of people use weak passwords and insecure two-factor authentication mechanisms like SMS authentication. While we should nudge people into using a 2FA method that's more secure than SMS, we should also be aware that without this method, many people may not enable 2FA at all!

Regardless, one of the downsides of SMS 2FA that many users may not be aware of is the fact that these codes can be inadvertently leaked on the lock screen. Although Android offers the option to hide notifications on the lock screen, many users opt to show them there for added convenience. This, however, could lead to 2FA codes being leaked, as often the code is visible within the notification that's posted by the user's messaging app, as demonstrated above.

With this in mind, Google is preparing a feature that will automatically redact notifications with 2FA codes on the lock screen. While digging into Android 14, I discovered a new system flag called "persist.sysui.notification.otp_redaction." This flag "[gates] the redaction of OTP notifications on the lockscreen." After toggling this flag on my Pixel (which requires root access as it's a "persist" prop), however, notifications containing OTPs were not automatically hidden from the lock screen. It appears that this flag isn't referenced anywhere else in the OS yet, which suggests this feature is still a work-in-progress.

Still, I think this would be a good feature to have, so I hope to see it fully implemented in the near future, perhaps in an Android 14 QPR. It is possible to detect when a notification has an OTP (most of the time), as many messaging apps already do this to offer a "copy" button. Using regular expression(s), the OS itself could detect such a notification and then prevent it from being shown on the lock screen.