0

I'm currently learning about Time-based One-Time Password implementations (see RFC6283). I see that a shared secret is part of the algorithm.

This shared secret is exposed to the user (see example with Google Authenticator).

So I'd like to ask:

  1. Why is this okay? Is this not risky in that the secret key can be inadvertently shared from there and end up in the wrong hands?
  2. Would the secret key be per user, or for all users of the backend application (I suppose the latter is the case as I've see it as a configuration setting in implementations)?
  3. What steps are recommended to ensure that this secret key does not fall into the wrong hands?
Community
  • 1
Gigi
  • 1,280
  • 1
  • 11
  • 12

1 Answers1

1
  1. Because it's necessary for the algorithm to work, valid codes can't just be generated out of thin air. Users should be told not to share the QR code. The fact that it's being used for 2FA should hopefully be enough for most people to understand that it shouldn't be shared, but some implementations could certainly be improved here.
  2. The key must be per user. If it were the same key for all users, all users would be generating the same codes.
  3. Tell the user not to share it, and follow good security practices to make sure your app isn't vulnerable to things like SQL injection that an attacker could use to get all the secrets.
AndrolGenhald
  • 15,436
  • 5
  • 45
  • 50