1

I'm trying to implement TOTP in a program that will be run client side. There's a few other questions about storing HOTP/TOTP secrets, but they're about the server-side and aren't completely clear about the client side.

Storing any secrets plaintext seems unsafe, but if I encrypt it, then the user has to enter a password and it defeats the purpose, right?

I can't hash the secrets because I need the original. So is it OK to store HOTP/TOTP secrets plaintext on the client, or am I missing something?

Michael M.
  • 10,486
  • 9
  • 18
  • 34
  • 1
    You certainly _could_ encrypt them and require a password to unlock. It _could_ be an extra layer of security. If you have a means to hide the tokens from other applications on the device, it might also be good to adopt that. – Evert Jun 13 '22 at 03:06
  • 2
    Many devices have keychain-like stores, and maybe it's enough to just store it there. – Evert Jun 13 '22 at 03:06

0 Answers0