search

OWASP / CheatSheetSeries

The OWASP Cheat Sheet Series was created to provide a concise collection of high value information on specific application security topics.
https://cheatsheetseries.owasp.org
Creative Commons Attribution Share Alike 4.0 International
28.17k stars 3.95k forks source link

Update: [Multifactor Authentication Cheat Sheet]: Further info about TOTP secret-key storage #678

Closed tuckerww closed 6 days ago

tuckerww commented 3 years ago

What is missing or needs to be updated?

There is no info about the proper way to store users' secrets for TOTP MFA. Should these secrets be stored in plaintext or be 2-way encrypted? If encrypted should it use a dedicated key on the server or use something like the user's password or email address or username?

How should this be resolved?

A brief subsection or bullet point, or perhaps a link to a separate cheat-sheet, describing the industry-standard (if such exists) for how to store the users' secret-keys for TOTP authentication. Or at least a line saying whether these secrets need to be encrypted or not.

I don't know the answer to the above question, so I won't propose any text.

mackowski commented 3 years ago

Thanks @tuckerww! @jmanico I think that we can link to the Cryptographic Storage Cheat Sheet for guidance.

jmanico commented 3 years ago

That sounds like a good idea @mackowski

mackowski commented 6 days ago

I am closing this because of no activity here for a looong time