The main question is: how to safely store 2FA TOTP seeds on a server. Assuming I store all user information in the table in DBMS. I want to protect user data against the case when the whole database is stolen.
User password is hashed and salted, but I can not do the same for the 2FA seed.
I have this idea to symmetrically crypt 2FA seed with the key derived from the user's password. During the login, I will use given password to check against the hashed version, and the same password to decrypt 2FA seed. The password itself would be nowhere stored.
What I'm afraid is that this approach can actually weaken security, and intruder will be able to recover user's password having the database (e.g. with a bruteforce attack).
