Keep secret key for TOTP

Question

Keep secret key for TOTP

I want to set up my site (C # / SQL 2008) to allow two-factor authentication with Google Authenticator. My site works, from receiving a QR code to creating the previous / current / next key (I am glad to accept 3 if the clock is not synchronized).

Obviously, we need to create a secret key for each user, otherwise each user will have the same password.

My question is, what is the best practice for storing this key? Can I store it as plain text in the user table or should it be encrypted?

+4

authentication sql-server-2008 encryption google-authenticator

Greg Jan 11 '13 at 3:20

source share

1 answer

cristi _b · Accepted Answer · 2013-01-13T17:40:51+0000

why not varchar ? as far as i know, the qr code from google is an alphanumeric string (which you could write manually if you could not install the qr code scanner)

in my personal college project, I generate 128-character alphanumeric strings that I send to my regular TOTP application, my database stores this information as VARCHAR (128),

I think the best answer depends on how big the key is and how your key space is determined instead of 62 alphanumeric digits, why not use the entire ascii table? will you need to store your keys as varbyte correctly?

Keep secret key for TOTP

More articles: