search

PHPGangsta / GoogleAuthenticator

PHP class to generate and verify Google Authenticator 2-factor authentication
http://phpgangsta.de/4376
BSD 2-Clause "Simplified" License
2.26k stars 698 forks source link

how to do develop recover code? #48

Open wuxiuhong opened 7 years ago

wuxiuhong commented 7 years ago

how to do develop recover code?

Vilican commented 7 years ago

@wuxiuhong, In my web application, I create recovery codes just by randomly generating them using cryptographically strong random generator like openssl_random_pseudo_bytes() and then securely hash them like I do with passwords and then store it in database with the user. The plain text (not the hash) of it I give to the user.

Pitfall: you can show the code to the user only one. If he loses it, he must get a new code. (Like with passwords)