Logo Questions Linux Laravel Mysql Ubuntu Git Menu
 

Store secret key for TOTP

I'm looking to setup my website (C#/SQL 2008) to allow two factor authentication using Google Authenticator. I have the site working, from getting the QR code to generating the previous/current/next key (I'm happy to accept 3 in case clocks are out of sync).

Obviously we need to generate a secret key for each user, otherwise every user would have the same one time password.

My question is what is the best practice for storing this key? Can I store it as plain text in the users table, or should it be encrypted?

like image 248
Greg Avatar asked Jan 11 '13 03:01

Greg


People also ask

What is secret key in TOTP?

TOTP is an algorithm — based on HOTP — that generates a one-time password from a shared secret key K and the current timestamp T using a hash function H. The shared secret key K is a Base32 string — randomly generated or derived — known only to the client and the server and different and unique for each token.

Where is 2FA secret stored?

Your 2FA secret key must be stored somewhere safe in the event that you lose access to the device with which you set up 2FA for your Standard Notes account. Typically, Standard Notes is the safe place to store your keys.

How long should TOTP secret be?

A Time-Based One-Time Password or TOTP is a passcode valid for 30 to 90 seconds that has been generated using the value of the Shared Secret and system time. Most often, passcodes are 6-digit codes that change every 30 seconds.


1 Answers

why not varchar ? as far as i know the qr code from google is an alphanumeric string ( that you could write by hand in case you couldn't bother installing a qr code scanner )

on my personal project for college, I generate a 128 character-long alphanumeric strings that I send to my custom TOTP app, my database stores this info as VARCHAR(128) ,

i think a best practice answer depends on how big the key is and how is your key-space defined, instead of 62 alphanumerical digits, why not use the whole ascii table ? you'd need to store your keys as varbyte right ?

like image 102
cristi _b Avatar answered Nov 20 '22 07:11

cristi _b