How to Store Time-Based OTP Secret Key in MySQL

Question

hours ago I posted this : Is storing secret key as a plaintext in SQL a bad move?

I believe my question and summary wasn't clear enough. I was referring to the secret key for the time-based OTP, not the regular password. Yes, I have password_hash()-ed the password, but not the secret key. The generated secret key can be used by Authy or Google Authenticator to show the current OTP for every 30 seconds. Unless you guys are telling me to hash my secret key as well, I don't see why my question was a duplicate.

Regarding Dat's comment, I don't see how otplib (javascript library) is going to help me, since I still need a different random key to tie to different individual accounts, unless I'm using the same key for all the accounts. Also, I need a way to note down which key links to which account, hence it goes back to my main question, on how to store the keys securely so that whenever an account tries to login with the OTP, I can verify it.

I apologize for the trouble, and thank you in advance.

Answer 1

I understand your problem. Following otplib instructions, I think this is what you need to store

import crypto from 'crypto';

authenticator.options = { crypto };

// Or if you're using the other OTP methods
// hotp.options = { crypto }
// totp.options = { crypto }

const secret = 'KVKFKRCPNZQUYMLXOVYDSQKJKZDTSRLD' <--- This is what you need to store, right ?
const token = authenticator.generate(secret); // 556443

Normally this secret key generate from your user id + YOUR_PRIVATE_SECRET_KEY

YOUR_PRIVATE_SECRET_KEY is key inject in back-end environment