-1

I am implementing Time based OTP (TOTP) for my network security course. The last time I gave presentation my instructor asked me "If you're going to share secret key by generating QR code and then letting the client(soft token) scan it, how are you sure that its safe ? " He meant that how the procedure of getting key from database and then making its QR code is safe ? If a third party have access to that web page then ? can third party know secret key without scanning code ?

I'm so confused from his questions.

Prakhar
  • 52
  • 10
  • 1
    I'm voting to close this question as off-topic because it belongs on either the Software Engineering or Information Security Stack Exchange site. – UnhandledExcepSean Mar 19 '19 at 17:52
  • The QR code should only be available the one time, when the user is setting up 2FA. It shouldn't be user-accessible after that point, i.e. don't put a "here's your secret!" in the app's settings or anything like that. – ceejayoz Mar 19 '19 at 17:56

1 Answers1

0

Most probably the question was with generating the QR code, not really about the security of the shared secret itself (there is nothing you can do more about transferring the shared secret - you have to somehow share it). What you have to be careful about when it comes to QR generation - do not use external services (like google chart) to generate the QR code, you have to do it with minimum external library use - ideally purely on the client side. Here is an example https://github.com/token2/totp-toolset-local

Emin
  • 573
  • 3
  • 13