Write-only store for secrets

[mgorny]

Currently the secrets are stored in a user-readable file. This is not necessarily a good idea, given that if an attacker manages to gain limited access to the user's session or account, and read that file, he can duplicate the token used for 2FA without leaving much of a trace.

Having a write-only secret store would be nice to have. That is, storing the configuration in a way that prevents the user from reading the secret (and emergency codes), and only allows him to update or remove it altogether. It might be also reasonable to prevent updates to other options without setting a new secret, to prevent the attacker from weakening the system silently.

If this were the case and the attacker only managed to obtain partial/temporary access to the user's session, the best he could do is disable 2FA altogether or set a new secret. In both cases, the user will notice it on next login (attempt).

A possible implementation would be to make google-authenticator setuid, and keep the files with restricted access somewhere.

[ThomasHabets]

You can make a wrapper program and use secret= and user=some-dedicated-user to achieve this.