Join GitHub today
GitHub is home to over 31 million developers working together to host and review code, manage projects, and build software together.Sign up
Write-only store for secrets #105
Currently the secrets are stored in a user-readable file. This is not necessarily a good idea, given that if an attacker manages to gain limited access to the user's session or account, and read that file, he can duplicate the token used for 2FA without leaving much of a trace.
Having a write-only secret store would be nice to have. That is, storing the configuration in a way that prevents the user from reading the secret (and emergency codes), and only allows him to update or remove it altogether. It might be also reasonable to prevent updates to other options without setting a new secret, to prevent the attacker from weakening the system silently.
If this were the case and the attacker only managed to obtain partial/temporary access to the user's session, the best he could do is disable 2FA altogether or set a new secret. In both cases, the user will notice it on next login (attempt).
A possible implementation would be to make