Can you help me understand the secret please?

pyauth / pyotp

Python One-Time Password Library

https://pyauth.github.io/pyotp/

Other

2.95k stars 321 forks source link

Can you help me understand the secret please? #70

Closed bootrino closed 5 years ago

bootrino commented 5 years ago

Your documentation suggest using qrious - this is fine and works well.

The thing that puzzles me is that the provisioning URI contains the secret key, and yet we send this URI to the client end to be turned into a QR code by qrious. So the secret key isn't secret because it has been sent to the client.

I would have expected that the secret key must never be sent out of the back end - what am I failing to understand?

thanks

tilkinsc commented 5 years ago

Also, check out QRCoder (C#)

Here is the flow:

A base32 string is generated randomly
It is agreed upon by all clients to use it and the generator transfers it via plain text or qr code scanning to said clients
Numbers are generated based on a truncated hmac'd version, time, etc on the unbase32 version of the string
Numbers are agreed upon by the unreversable truncated hmac

So basically as long as your base32 string doesn't get sniffed from the get go, you are fine.

bootrino commented 5 years ago

Am I correct in understanding that:

a unique secret is generated for every client/every client has its own secret.
the secret is a secret, but is known to both the back end, and also to the one specific client.
the secret is stored in the database record for that client.
there is no problem to send the secret to the front end to make the QR code, because it is sent ONLY to the client who owns it presumably via HTTPS - i.e. sending it to the front end does not make it public.
when authenticator codes are sent from the front end to the back end for verification, the secret is retrieved from the client's database record and is used to verify.

kislyuk commented 5 years ago

@bootrino your interpretation is correct. HOTP and TOTP are based on a shared secret. Keeping the secret confidential between your application and the user's user agent is your responsibility as the application developer (and is typically done via HTTPS as you mention).

You can find a detailed discussion of the shared secret strategy in https://tools.ietf.org/html/rfc4226#section-7.5. This design element is shared between TOTP and HOTP.

Because of the shared secret design, TOTP and HOTP are fundamentally less secure than FIDO U2F and other standards derived from it.

kislyuk commented 5 years ago

Closing this issue, but feel free to comment if you need further clarification.