I'm implementing 2FA supporting TOTP, SMS and backup codes. To store the backup codes I've issued in my app's database, what should I do re hashing/encryption?

  • 1
    Argon2, you only need to validate the code matches. If they need new codes you regen them on demand with a user that can satisfy a credential elevation challenge.
  • 2
    You should always only use hashing for authentication.

    I know about TOTP and the sms option but what do you mean by backup codes?

    Is it something you have sent to the user that they can return as a kind of one of code?

    Or or it like a password they can use to reset their 2FA?
  • 1
    @Voxera I'd say it must be the former. By the way, OP, it might just be my opinion, but SMS 2FA didn't really secured. On the contrary, it's often abused.
  • 1
    @Voxera this sounds like the one off code scenario.

    @d4ng3r0u5, hmm that's painful to type out, you should be hashing those one time codes as only the end user who activated 2FA should be the only one to actually know what they are.

    SMS on the other hand, I would allow it as an option, but purely as a backup method instead of a default, sms is literally sending a password over plain text. what could go wrong?
  • 1
    When you register a TOTP, most standard implementations supply a number of 1 time use backup codes that can be used in place of a valid TOTP. The mechanism is designed to compensate for device loss.
  • 1
    I'm guessing ROT13 doesn't cut it anymore.
  • 1
    @SortOfTested @C0D4 @Jilano In that case the local codes should be one way hashed using a good hashing so a leak cannot be used to reset passwords.

    Only one with the real code can do it as you rehash what they supply before checking.

    Unless this is handled by TOTP in which case I hope the sent code already is different from the stored.
Add Comment