I need to implement 2FA in my web app. I'm doing this the standard way: the newly created user's seed is retrieved from the server(I use speakeasy) and the QR code is generated. The thing is, it's possible to steal this seed from the browser's memory (maybe not likely, but still...) Is this the standard way to do this? What is the best practice for this?
Thanks!
A lot of what happens on the user's machine is going to be out of your control, and reliant on a sanitary system and/or browser isolation.
To that end, you can just do your best to clear the memory contents when you're done. Perhaps fill a byte array with zeroes, or explicitly delete a property reference if you're paranoid. Though the latter at least won't force the GC to clear the memory, and it will do this in its own time.
It also boils down to the fact that if you have a machine or browser compromised in some way that browser memory is being read from your site's tab, then you have bigger problems.
