Storing the secret

Open bemurphy opened this issue 11 years ago • 0 comments

This is more about TOTP in general but thought it was worth asking here.

Are there recommendations on securely storing the TOTP.secret per user in the database?

I'm uneasy with cleartext because if somebody can grab read-only access to that table or a backup, they have the secrets.

The best thought I've had so far is using symmetric encryption with the key in the ENV. Is there a better way?

Sep 17 '14 19:09 bemurphy