I'm currently developing two factor authentication based on totp. For this you have to generate a secret and save it on the server side and on the client-side (usually through the QR code).
My Question: How do I store it in the database? My requirements are that it's saved secure, preferably encrypted. Hashed doesn't work because I need to be able to have the plain-text value in order to calculate the totp secret code. When I encrypt it, with what key? Should I use a general key? Should I use the password from the user as the key? This would have the disadvantage that when a password reset is done, I can't Decrypt the totp secret key anymore.
Any ideas?
