[Idea for better Security] Encrypt TOTP keys
Closed this issue · 4 comments
You encrypt the IP addresses but not the TOTP keys?
You really should encrypt the TOTP keys.
General rule of thumb for TOTP/API Keys:
The app you use to generate the 6 digits should give the keys back (such as Authenticator).
Not the service where the key came from (such as this plugin, SendGrid.com API keys).
The IP addresses are being hashed, not encrypted.
I don't fully understand why encrypting the TOTP token is useful.
Obviously if someone gets the token it's dangerous, however, encrypting the token makes no sense.
After generating the token through the plugin it creates a QR code. If you scan this code, an entry in your authenticator is being created with the token used to generate the key (6 digits) you need to authenticate.
Encrypting the token right after generating it would basically mean creating a QR code with the encrypted token.
When the user scans that, they don't scan their token but rather a different string, thus, it'll generate a different 6-digits key every 30 seconds, meaning I'd have to change the authentication mechanisem to also use the encrypted token.
I think I either missed something in your explanation or you what you said doesn't make sense.
If your whole idea was to encrypt the token in the storage (database/locally), that makes more sense, however, it still would not be too safe when there's an attack, since the attacker would have access to the encryption key as well.
The only way I see this somewhat working is encrypting the token with the user's UUID.
But then you still run into a problem with a database leak - the attacker would have access to the uuids regardless, so if they look at the sourcecode, they can pretty much reverse engineer it.
Sorry, I keep thinking hash is encrypting. Technically it is, but different.
Anyways that's what I meant. When you store the key, have it stored hashed.
But now that I think about it more, the plugin needs that key to generate the code to compare what the user supplies.
Okay, so failed idea. My apologies.
No worries at all! Thank you for the suggestions anyways, it's always nice getting them! :)