willpower232
commented
6 years ago When a user generates a secret key in your application, this will typically be stored in their authentication app and not revealed by that app after it is saved.
If the user chooses to store their secret key publicly, thats on them to keep it secure.
You also need to store the secret but you should only show it to the user once for setup. Its only a short text string so should fit easily into most databases.
If the user loses the secret, you should permit them a way of clearing and recreating the secret.
When a user generates the secret key he will have to save it in a safe place and also in the Google application. When it is validation in the login of the code informed by the user needs the secret and the code informed, then my question is if I can store the secret in my database?
And when the user loses the secret key what is recommended to do? Show the secret to him? Remove from the database and give it the option to generate a new key? Please, I'm a beginner and I really wanted to know these things about 2 factors.