2

I want to use google authenticator and totp algorithm for 2fa on my website. I have 2 questions for generating the QR secret.

I planned to use vault to store the secrets to be more secure but my question is there any other way to generate the secret every time instead of storing it in some storage?

I've read in tutorials that I need to use random secret per user and store that secret in DB for otp verification.

My idea was to store a specific secret somewhere safe and generate a hash using that secret per user. For instance, generate the hash using mySecret+userId

Is it a safe way?

Peter
  • 29,454
  • 5
  • 48
  • 60
taraf
  • 777
  • 2
  • 10
  • 28
  • What's the point to create a hash? – zerkms Jul 04 '19 at 00:07
  • In this way, I can generate the secret for that specific user every time without using any external database or backend. I can only need to keep one secret safe – zerkms – taraf Jul 04 '19 at 00:09
  • Sounds reasonable (eg use SHA256 to generate user specific secret from master secret + user ID). However, if the users secret is compromised you have to give them a *new ID* (prob not desireable). Also if the master secret is compromised you have to give everyone a new secret (through QR or whatever). My question is why is it easier to store one secret than one per user? – AJR Jul 04 '19 at 00:10
  • You can use Vault's [Transit Backend](https://www.vaultproject.io/docs/secrets/transit/index.html) to derive keys for users (using the user ID as the context for data keys or HMACs, for instance), although I have to admit that I don't understand why you are trying to do that. Being able to reproduce an encryption key is generally bad, for the same reason that we don't store passwords in a reproducible fashion. – Peter Jul 04 '19 at 05:03
  • "My idea was to store a specific secret somewhere safe." Isn't Vault that safe place though? – Peter Jul 04 '19 at 05:05
  • I wanted to store the master secret somewhere safe like vault or k8s secret but generate one-way secret per user using SH256 with masterSecret+userId and generate the secret again when I need to verify user code. – Peter – taraf Jul 04 '19 at 12:54
  • I believe that won't happen. Because if somebody can find a way to access to our VPC and k8s cluster and see the master password, in the same way, he'll have access to the Vault or DB as well. I think the security level will be the same. Thanks for your response – AJR – taraf Jul 04 '19 at 13:00

1 Answers1

0

Using a master secret and generating user secret with sha256 was a bad idea. Becuase generated secret and QR is always same. If the user lost hist phone and wants to delete the QR code and get a new QR that's not possible. Best practice would be generating random secrets and store them in the vault.

taraf
  • 777
  • 2
  • 10
  • 28