Reputation: 14423
How to generate a QR Code for Google Authenticator that correctly shows Issuer displayed above the OTP?
Warning: sharing your TOTP seed with third-parties breaks the very basic assumption of multi-factor authentication that the TOTP seed is secret.
So, I'm aware of the documentation on this, found here: Google Authenticator Key URI Format
When I follow this example from that page:
otpauth://totp/Example:[email protected]?secret=JBSWY3DPEHPK3PXP&issuer=Example
And I 'splice' it into a Google Charts URL, thus:
https://www.google.com/chart?chs=200x200&chld=M|0&cht=qr&chl=otpauth://totp/Example:[email protected]?secret=JBSWY3DPEHPK3PXP&issuer=Example
It will display a valid QR code, and if I scan it with my Google Authenticator app on my phone, it will begin to generate valid OTPs.
However, in the display on the phone, for the entry created by the QR code, I get the OTP, and under it, I get 'Example:[email protected]'. What I want, is to have 'Example' displayed above the OTP, and '[email protected]' displayed below the OTP. I can't help but notice that's the way all the professionally produced apps do it. For example, Google, Wordpress, Amazon, etc. The company name is above the OTP, and the username is displayed below the OTP. Yes, this is purely a cosmetic issue, but I want to get it right.
Can anyone offer me a clue?
Upvotes: 59
Views: 156568
Answers (5)
Reputation: 6210
https://github.com/dim13/otpauth
$ go install github.com/dim13/otpauth@latest
$ otpauth -link 'otpauth-migration://offline?data=…
Upvotes: 0
Reputation: 11285
The responses recommending usage of Google Charts are absolutely terrible from information security point of view. That's essentially sharing the TOTP secret as well as your username ([email protected]) and issuer (Example) with a third-party company with no legal obligation to keep them secret, and doing that over a GET request! Doing so you violate not only every single assumption underlying multi-factor authentication but also most likely your organisation's information security policy. It nullifies any value added by MFA since the only factor that protects you from compromising your account in case of password breach is itself breached.
Just use any QR code generator as long as it's processing your data locally.
NEVER USE ONLINE QR GENERATORS FOR MFA SECRETS
On Linux I'd recommend the python-qrcode library that can print your QR code using UTF-8 characters on the console.
pip install qrcode
Then:
qr "otpauth://totp/Example:[email protected]?secret=JBSWY3DPEHPK3PXP&issuer=Example"
Upvotes: 73
Reputation: 4323
I use a different way using a local qrencode installation:
qrencode -o- -d 300 -s 10 "otpauth://totp/YOUR_IDENTIFICATION?secret=YOUR_SECRET" | display
In this way I can rebuild my lost authentication key library from what I had on my laptop.
If you are worried about the SECRET showing up in the bash history you can read the secret in hidden mode and use it:
read -p "Write your secret here (no output expected): " -s YOUR_SECRET
qrencode -o- -d 300 -s 10 "otpauth://totp/YOUR_IDENTIFICATION?secret=$YOUR_SECRET" | display
In this way, when you close the bash session, no trace of your secrets will available.
PS. in case you don't have qrencode binary, install it with brew
brew install qrencode
Upvotes: 39
Reputation: 14423
Warning: sharing your TOTP seed with third-parties breaks the very basic assumption of multi-factor authentication that the TOTP seed is secret.
Just figured this out.
As it turns out, I needed to encode all the special characters in the 'oauth', i.e., '$', '%', '=', etc.
So, using the same Google Charts URL as before, but encoding those characters, like this:
https://www.google.com/chart?chs=200x200&chld=M|0&cht=qr&chl=otpauth://totp/Example%3Aalice%40google.com%3Fsecret%3DJBSWY3DPEHPK3PXP%26issuer%3DExample
And it works correctly.
Upvotes: -3
Reputation: 4396
Just want to note, newer versions for Google Authenticator will use the issuer parameter, documented here:
https://github.com/google/google-authenticator/wiki/Key-Uri-Format#issuer
e.g:
Upvotes: 4
Related Questions
- How to generate QR code with logo inside it?
- Google authenticator invalid barcode on scan
- Issuer label on QR code for 2FA not showing correct value
- Scanning QR Code does not work with Google Autneticator on IOS
- Two-factor authentication with Google Authenticator - manually type key instead of scanning QR code
- phpqrcode and google authenticator - not sure of the format of things and how to get it to validate correctly
- node-qrcode shows different code which is not varifiable at Server side using Otp.NET
- QR Code for TOTP multi factor (like google authenticator) -- how do I set my logo?
- parameters to make a QR code that Authy understands
- What data do I have to use to generate a QR code for Google Authenticator?