I implemented a 2FA authentication for a web app with PHP and Google Authenticator. In order to login to my system there are a few steps:
User types in a complex master password in order to access the login page. The request is throttled for only 1 request every hour and includes a CAPTCHA.
User types in username and password in a web application on their computer. Forms contain CSRF token.
There is a Google Recaptcha V3 to ensure the request comes from a human. This check is done in the front and backend.
When the username and password matches, the server gets the secret key from the user database table and generates a QR code which is injected as a data URI src inside an HTML image tag. The user scans the bar code with google authenticator, which in turn generates a code which the user can use to login to the system.
What I don't understand: Can't anyone scan the QR-Code if they cracked the username and password? I have the feeling I'm doing something wrong in step 4.
Anyone could download the authenticator so I'm not entirely sure if its secure or is storing the secret inside my database a bad idea? Should users type in their secret to generate the QR code manually? Also, I'm thinking, shouldn't the secret change every once a while?