Credential support for TOTP secrets stored on hardware authentication devices
L
Linus Goertz
started a topic
7 days ago
Storing an MFA secret in an encrypted document necessarily undermines security.
The typical approach to preventing this is to require authentication before allowing decryption, but this also means you need to have a server component and cannot have offline access to the data.
However, the same effect could also be achieved without this toll when we split up where secrets are stored.
For example, YubiKey has a feature where TOTP secrets are stored on the YubiKey itself and can be used with the companion software "Yubico Authenticator".
Therefore, I suggest expanding the MFA section of credentials with an option to generate the TOTP from a hardware authentication device.
Please let me know what you think, and thanks for your work.
Linus Goertz
Storing an MFA secret in an encrypted document necessarily undermines security.
The typical approach to preventing this is to require authentication before allowing decryption, but this also means you need to have a server component and cannot have offline access to the data.
However, the same effect could also be achieved without this toll when we split up where secrets are stored.
For example, YubiKey has a feature where TOTP secrets are stored on the YubiKey itself and can be used with the companion software "Yubico Authenticator".
Therefore, I suggest expanding the MFA section of credentials with an option to generate the TOTP from a hardware authentication device.
Please let me know what you think, and thanks for your work.
Best regards,
Linus