TOTP Key Security: Best Practices

TL;DR

Storing your TOTP secret key securely is vital. Don’t store it in plain text! Use a dedicated secrets manager, encrypted storage (like a password manager), or hardware security keys for the best protection. Avoid storing it directly in code or configuration files.

Securely Storing Your TOTP Key

1. Understand the Risk: A compromised TOTP key means someone can generate valid codes and bypass your two-factor authentication.
2. Never Store Keys in Plain Text: This is the biggest mistake. Avoid storing keys directly in:
   • Code repositories (e.g., Git)
   • Configuration files
   • Databases without encryption
   • Log files
3. Option 1: Dedicated Secrets Manager

   Secrets managers are designed for this purpose. They offer encryption, access control, and auditing.

   • HashiCorp Vault: A popular choice, but requires setup and maintenance.

     vault kv put secret/totp key=YOUR_TOTP_KEY

   • AWS Secrets Manager / Azure Key Vault / Google Cloud Secret Manager: If you’re using a cloud provider, these are often the easiest options. Follow their documentation for setup.
4. Option 2: Encrypted Storage (Password Managers)

   Reputable password managers offer secure storage with strong encryption.

   • 1Password, LastPass, Bitwarden: Store the key as a ‘secure note’. Ensure your master password is very strong and you use two-factor authentication on the password manager itself!
   • Be careful about syncing: Understand how your chosen password manager syncs data and ensure it’s secure.
5. Option 3: Hardware Security Keys (HSMs/YubiKeys)

   These provide the highest level of security by storing the key on a physical device.

   • YubiKey with OTP app: Some YubiKeys can store TOTP secrets directly.
   • HSM (Hardware Security Module): More complex and expensive, suitable for enterprise environments.
6. Option 4: Environment Variables (with caution)

   If you *must* use environment variables, ensure they are not logged or exposed in any way.

   • Set the variable at runtime: Avoid hardcoding it into scripts.

     export TOTP_SECRET=YOUR_TOTP_KEY

   • Restrict access to the environment: Only allow necessary processes to read the variable.
7. Key Rotation: Regularly change your TOTP keys (e.g., every 90 days) as a security best practice.
8. Access Control: Limit who can access the key storage location, regardless of the method used.

Remember that no solution is perfect. Choose the option that best balances security with usability for your specific needs.