Do all the things like ++ or -- rants, post your own rants, comment on others' rants and build your customized dev avatarSign Up
Argon2, you only need to validate the code matches. If they need new codes you regen them on demand with a user that can satisfy a credential elevation challenge.
Voxera700329dYou should always only use hashing for authentication.
I know about TOTP and the sms option but what do you mean by backup codes?
Is it something you have sent to the user that they can return as a kind of one of code?
Or or it like a password they can use to reset their 2FA?
C0D44763429d@Voxera this sounds like the one off code scenario.
@d4ng3r0u5, hmm that's painful to type out, you should be hashing those one time codes as only the end user who activated 2FA should be the only one to actually know what they are.
SMS on the other hand, I would allow it as an option, but purely as a backup method instead of a default, sms is literally sending a password over plain text. what could go wrong?
halfflat181829dI'm guessing ROT13 doesn't cut it anymore.
Voxera700328d@SortOfTested @C0D4 @Jilano In that case the local codes should be one way hashed using a good hashing so a leak cannot be used to reset passwords.
Only one with the real code can do it as you rehash what they supply before checking.
Unless this is handled by TOTP in which case I hope the sent code already is different from the stored.
xonya31** The most hilarious authentication implementation I've ever seen ** They stored password in cleartext, but ...
linuxxx39I get that fingerprint authentication is very convenient but I'd never use it (not even for privacy reasons th...
gosubinit10Protecting credentials from eavesdropping using HTTP Basic Authorization header: