diff --git a/Security-implementation.md b/Security-implementation.md index 5310f0b..d1f6f59 100644 --- a/Security-implementation.md +++ b/Security-implementation.md @@ -4,7 +4,7 @@ User password is hashed with bcrypt, using 12 rounds. Password is stored in the ## 2FA -Wild Duck generates TOTP seed tokens. These are encrypted (aes192) on storage with an application configured master password. Encrypted TOTP seed is stored in the user entry in the users database. +Wild Duck generates random TOTP seed tokens. These are encrypted (aes192) on storage with an application configured master password. Encrypted TOTP seed is stored in the user entry in the users database. If 2FA is enabled then account password can only be used for the "master" scope but not for IMAP, POP3 or SMTP. In these cases the user must generate an Application Specific Password for the required scope(s).