-
Notifications
You must be signed in to change notification settings - Fork 229
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Example on how to handle recovery codes? #59
Comments
i'd be ok with a sub-module for recovery codes. i'm a little concerned about scope creep - as you allude to, recovery codes inherently need storage. Additionally, you probally want to either hash or encrypt them - ideally they aren't stored in clear text. Just sketching out how this could work, to avoid storing recovery codes in clear text:
To validate:
I'm not sure step 3 having an interface is a big help - its going to be very app specific so I'm wondering if we should instead focus on easy to use composable functions with a few examples, what do you think? |
@pquerna Is this issue stale? I was writing a recovery code module for myself the other day using 4-letter English words to encode a binary code. Argon2di for hashing. I could contrib it here. Interested? |
Hi, I don't think storing a hash for recovery codes is a good idea for all use cases. For example GitHub allows you to view the plain recovery codes at any time and this is not possible if you hash the recovery codes. I'm adding TOTP support to SFTPGo and I'm using a struct like the following one to keep recovery codes
This feature is very application specific and I think it is out of the scope of the library |
@dkotik a sub-module for recovery code generation seems helpful. If it pulls in other deps, might drop it in a new |
Forgive me if this is a stupid question, how exactly can I handle recovery codes for users?
In README, you said "These can simply be randomly generated strings that you store in your backend" but I could not find the code that do this.
Does that mean I need to handle recovery codes myself? I was thinking along the lines of
Let me know if you have plan to support this behavior natively in this package, or if you are interested in a Pull Request that does this (backend storage via an interface, of course)?
The text was updated successfully, but these errors were encountered: