Encrypting TOTP secrets and delivered tokens
The server might sometimes need to store authentication-related data in the user’s entry in reversible form.
This includes:
-
Shared secrets that are needed to generate time-based passwords for use by the UNBOUNDID-TOTP Simple Authentication and Security Layer (SASL) mechanism. It might also need to store the last TOTP password that the client used to prevent it from being reused.
-
One-time passwords that have been generated by the server and delivered to the user for use by the UNBOUNDID-DELIVERED-OTP SASL mechanism.
-
Password reset tokens that can be used to allow a user to recover access to their account even if they have forgotten their password, if their password is expired, or if the account has been locked.
This information needs to be stored in the server in a form that allows the server to obtain its clear-text value. Although these values can actually be stored in the clear, the Encrypt TOTP Secrets and Delivered Tokens plugin can be used to encrypt their values so that they are not available to anyone who gains access to the corresponding operational attributes in the user’s entry.
For more information, see the config/sample-dsconfig-batch-files/enable-encryption-for-shared-secrets-and-one-time-passwords.dsconfig
sample batch file.