I was using the speakeasy package to implement google auth in my app. After generating the secret as below.
var secret = speakeasy.generateSecret({
name: `***`
// encoding: 'ascii'
});
I would then validate like below:
let validOtp = speakeasy.totp.verify({
secret: `***`,
encoding: 'ascii',
token: code
});
If the secret generated was compromised, would it be possible to bypass this verification even without having the timebased otp or is this still secure?
I thought it would be better to encrypt the secret then decrypt when needed. Is this overkill and unnecessary?
Save
I found my answer in a github issues thread. As soon as the secret key is compromised, the attacker can generate a code at any point.
https://github.com/speakeasyjs/speakeasy/issues/24