(...) the much-requested 2-factor authentication feature has finally been added.
(Thanks for letting me work on this, and for the valuable tweaks and additions that you made.) 
Why this Confirmation OTP field has to be password filed? I think it should be normal text field.
Hmm... That's a good question. A
type="text" field
would make it easier for people to see if they've typed in their OTP correctly.
I erred on the side of caution with a lot of the decisions I made with this patch. I
think the rationale I used (just guessing, I don't actually remember) when deciding on a
type="password" field went something like this: I left theymos some configuration knobs in the code, and I didn't know exactly what values he would settle on. So, as a hedge against him settling on a very long OTP validity-time (like a few minutes or more, instead of ~30 seconds), I thought it best to treat the OTP as password-like (and prevent it from being easily shoulder surfed). That was the thinking behind the OTP field-type on the login page. The thinking behind the OTP field-type on the settings page was just to mirror the field-type from the login page.
Have I started to hear the complain now that 2fa code expires too quick 😂?
If that becomes a problem and more than a few people bump into it, then it's very easy to adjust.
@theymos: If you want to make the OTP codes remain valid for a little longer, then adding 1 more 30-second window of look-behind would be a good start. (Changing the look-behind value near the top of
TOTP.php won't affect the otpauth URI, so it won't affect compatibility or disturb anyone's already-imported settings.)
Thanks for all the congrats & stuff being left in this topic. Bitcointalk has become a lot more important to me than I expected when I joined. I'm grateful that I get to contribute to it in my own way, and I hope to keep doing that for a good while yet. Cheers!
