Вопрос

I'm looking to setup my website (C#/SQL 2008) to allow two factor authentication using Google Authenticator. I have the site working, from getting the QR code to generating the previous/current/next key (I'm happy to accept 3 in case clocks are out of sync).

Obviously we need to generate a secret key for each user, otherwise every user would have the same one time password.

My question is what is the best practice for storing this key? Can I store it as plain text in the users table, or should it be encrypted?

Это было полезно?

Решение

why not varchar ? as far as i know the qr code from google is an alphanumeric string ( that you could write by hand in case you couldn't bother installing a qr code scanner )

on my personal project for college, I generate a 128 character-long alphanumeric strings that I send to my custom TOTP app, my database stores this info as VARCHAR(128) ,

i think a best practice answer depends on how big the key is and how is your key-space defined, instead of 62 alphanumerical digits, why not use the whole ascii table ? you'd need to store your keys as varbyte right ?

Лицензировано под: CC-BY-SA с атрибуция
Не связан с StackOverflow
scroll top