Is my TOTP key secure on a free hosting provider server with FTP and .htaccess restrictions?
I'm hosting a website on a free hosting provider server that uses PHP for OTP-based authentication. Here’s how it works:
If an unregistered IP address visits the site, it shows an "Unauthorized" message.
For registered IPs, the site asks for an OTP, giving users three attempts to enter it correctly. The result is either "SUCCESS" or "FAIL" based on the input.
An OTP is generated every 30 seconds using the PHPGangsta/GoogleAuthenticator library (GitHub link).
The TOTP key is stored in an encrypted file on the server, and the PHP file decrypts it to generate OTPs.
The server also shares a secret which is also stored as encrypted file if the authentication is successful.
The PHP file also processes OTP and sends the relevant message to index html page.
Both the PHP files (the one generating OTPs and the one containing the encrypted key) have file permissions set to 600.
I have also set up .htaccess to block access to all IP addresses except for a few trusted ones.
I was provided with FTP credentials (username and password) to access the server.
Given the file permissions and .htaccess restrictions, is my TOTP key safe on the server? Could the PHP files still be accessible from the internet if my FTP credentials remain secure? What other security concerns should I be aware of in this setup?
