Data protection
2FAuth provides several security mechanisms to protect your sensitive 2FA data, at administrator or user level.
For administrators
DB encryption
Sensitive data stored in the database (2FA secret & otpauth URI) can be encrypted to protect them against a database compromise.
Check the Protect sensitive data option in the 2FAuth's Admin > App setup section to enable encryption.
Encryption applies to all users data
Warning
The value of the APP_KEY environment variable is used as the encryption key. It is essential that you make a backup copy of that key.
There is no way to generate One-Time Password if you lose this key.
There is no workaround in case of key loss.
If you need to rotate the key, use the APP_PREVIOUS_KEYS environment variable to list previous keys and avoid decryption issues.
For users
Auto lock
2FAuth can automatically log you out to keep your data always protected. The goal is to avoid a long life session that someone could reuse, for example from a public computer you forgot to clean or from your own stolen smartphone.
Use the Auto lock combobox in the 2FAuth's Settings > Options section to select a trigger or to disable the feature.
Sensitive data hiding
You can configure 2FAuth to display obfuscated One-Time Password rather than human readable password.
This protects against attacks like a shoulder-surfing attack, where a third party intercepts your password by watching over your shoulder as you generate a fresh password.
Of course, this is only suitable if you are able to use the copy/paste feature to provide the password to the destination service.
Simply click/tap the (obfuscated) password in 2FAuth to copy it!
Check the Show generated one-time passwords as dot option in the 2FAuth's Settings > Options section to enable obfuscation.