Menu
I'm looking to setup my website (C#/SQL 2008) to allow two factor authentication using Google Authenticator. I have the site working, from getting the QR code to generating the previous/current/next key (I'm happy to accept 3 in case clocks are out of sync).
Obviously we need to generate a secret key for each user, otherwise every user would have the same one time password.
My question is what is the best practice for storing this key? Can I store it as plain text in the users table, or should it be encrypted?
248
TOTP is an algorithm — based on HOTP — that generates a one-time password from a shared secret key K and the current timestamp T using a hash function H. The shared secret key K is a Base32 string — randomly generated or derived — known only to the client and the server and different and unique for each token.
Your 2FA secret key must be stored somewhere safe in the event that you lose access to the device with which you set up 2FA for your Standard Notes account. Typically, Standard Notes is the safe place to store your keys.
A Time-Based One-Time Password or TOTP is a passcode valid for 30 to 90 seconds that has been generated using the value of the Shared Secret and system time. Most often, passcodes are 6-digit codes that change every 30 seconds.
why not varchar ? as far as i know the qr code from google is an alphanumeric string ( that you could write by hand in case you couldn't bother installing a qr code scanner )
on my personal project for college, I generate a 128 character-long alphanumeric strings that I send to my custom TOTP app, my database stores this info as VARCHAR(128) ,
i think a best practice answer depends on how big the key is and how is your key-space defined, instead of 62 alphanumerical digits, why not use the whole ascii table ? you'd need to store your keys as varbyte right ?
102
If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!
Donate Us With
