DEVHIDE
Login Or Sign up

SpeakEasy security with secret exposed

303 Views Asked by At

I was using the speakeasy package to implement google auth in my app. After generating the secret as below.

var secret = speakeasy.generateSecret({
      name: `***`
      // encoding: 'ascii'
    });

I would then validate like below:

let validOtp = speakeasy.totp.verify({
              secret: `***`,
              encoding: 'ascii',
              token: code
            });

If the secret generated was compromised, would it be possible to bypass this verification even without having the timebased otp or is this still secure?

I thought it would be better to encrypt the secret then decrypt when needed. Is this overkill and unnecessary?

Save

node.js speakeasy
Original Q&A
1

There are 1 best solutions below

0
On

I found my answer in a github issues thread. As soon as the secret key is compromised, the attacker can generate a code at any point.

https://github.com/speakeasyjs/speakeasy/issues/24

Related Questions in NODE.JS

Related Questions in SPEAKEASY

Trending Questions

Popular # Hahtags

javascript python java c# php android html jquery c++ css ios sql mysql r reactjs node.js arrays c asp.net json python-3.x ruby-on-rails .net sql-server swift django angular objective-c pandas excel

Popular Questions

Copyright © 2021 Jogjafile Inc.