In TOTP implementations, it's always suggested that you give your users recovery codes. Should I treat these like tokens? Display them once and hash them?
If so, I'd love to know why. If not, I'm curious too.
In TOTP implementations, it's always suggested that you give your users recovery codes. Should I treat these like tokens? Display them once and hash them?
If so, I'd love to know why. If not, I'm curious too.
What it appears you have in this particular TOTP library is the requirement to create and implement a 2FA bypass function outside of TOTP.
These are a set of one time use codes that can be used instead of the TOTP. These can simply be randomly generated strings that you store in your backend.
Those recovery keys are "golden keys" that unlock the account. These become like a second password, and as such, should be protected and implemented in the same manner.