Encryption of TOTP secrets

  • Resolved sertys

    (@sertys)


    4 years ago

    I recently installed your plugin and enforced 2fa authentication for my superadmins and admins. Wanted to extract the TOTP tokens to import in a different internal software, so the users use their token on both places. In the process I had to look in your code as to extract the current tokens and noticed they were SSL encrypted( data is in format “ssl_{key}”), and the decryption key is kept in the wp_sitemeta table as a meta_key wp_2fa_secret_key. I implemented a decryptor, but the question arises as why the encryption key is kept in the same database as encrypted material. This to my opinion is faux security.
    Do you plan on keeping the key in a different place, so a possible attacker dumping the database will not be able to decrypt the TOTP keys easily?

    Otherwise, greetings for the great work thus far.

    Daniel

Viewing 1 replies (of 1 total)
  • Plugin Contributor robertabela

    (@robert681)

    4 years ago

    Hello @sertys

    Thank you very much for trying our plugin and for your message, and sorry for the late reply.

    I agree with you that this is not the best solution. However, it isn’t faux security either. Allow me to explain:

    This is just the first step of keeping the TOTP codes secure. Our aim is to store the secret key on a file, for example in the wp-config.php file. We have not implemented this yet because when we tried we encountered a lot of problems; many web hosters / security plugins etc block write access to the wp-config.php and other files. Hopefully we will find a solution to this shortly.

    However, we still have chosen to encrypt the TOTP code and store the key in the database because at the end of the day, it is another step a malicious user has to tackle should they get their hands on the database, and many of them wouldn’t know what they need to. Also, if someone has a copy of the database, there is much more to worry about than the TOTP code, but that does not mean we will stop here.

    I hope the above answers your question. Should you require more information, please do not hesitate to ask.

    Thank you very much and have a great day.

Viewing 1 replies (of 1 total)

The topic ‘Encryption of TOTP secrets’ is closed to new replies.