Ranter
Join devRant
Do all the things like
++ or -- rants, post your own rants, comment on others' rants and build your customized dev avatar
Sign Up
Pipeless API
From the creators of devRant, Pipeless lets you power real-time personalized recommendations and activity feeds using a simple API
Learn More
Comments
-
Argon2, you only need to validate the code matches. If they need new codes you regen them on demand with a user that can satisfy a credential elevation challenge.
-
Voxera113685yYou should always only use hashing for authentication.
I know about TOTP and the sms option but what do you mean by backup codes?
Is it something you have sent to the user that they can return as a kind of one of code?
Or or it like a password they can use to reset their 2FA? -
C0D4667535y@Voxera this sounds like the one off code scenario.
@d4ng3r0u5, hmm that's painful to type out, you should be hashing those one time codes as only the end user who activated 2FA should be the only one to actually know what they are.
SMS on the other hand, I would allow it as an option, but purely as a backup method instead of a default, sms is literally sending a password over plain text. what could go wrong? -
@Voxera
When you register a TOTP, most standard implementations supply a number of 1 time use backup codes that can be used in place of a valid TOTP. The mechanism is designed to compensate for device loss. -
Voxera113685y@SortOfTested @C0D4 @Jilano In that case the local codes should be one way hashed using a good hashing so a leak cannot be used to reset passwords.
Only one with the real code can do it as you rehash what they supply before checking.
Unless this is handled by TOTP in which case I hope the sent code already is different from the stored.
Related Rants
-
xonya30** The most hilarious authentication implementation I've ever seen ** They stored password in cleartext, but ...
-
linuxxx39I get that fingerprint authentication is very convenient but I'd never use it (not even for privacy reasons th...
-
gosubinit10Protecting credentials from eavesdropping using HTTP Basic Authorization header:
I'm implementing 2FA supporting TOTP, SMS and backup codes. To store the backup codes I've issued in my app's database, what should I do re hashing/encryption?
question
authentication