We have a problem with Google Authenticator on iOS. We are using the below standard code snippet to generate a TOTP key KeyGenerator keyGen = KeyGenerator.getInstance("AES"); keyGen.init(keySize); byte[] byteKey = keyGen.generateKey().getEncoded(); Base32 base32 = new Base32(); return base32.encodeAsString(byteKey); The code that is generated is padded at the end with trailing = signs as below. 6ICU5K45MHIZCMTR3DABCDFP7XSZGV4DVTRABCOPD5RDQRGOLTGQ==== We then generate an appropriate QR code based on this string but we have problems when it is scanned on some devices. This code works using Google Authenticator on Android but fails when using the iOS version with the following error... Invalid barcode The barcode 'otpauth://totp/MyDomain:user@user.com?secret=6ICU5K45MHIZCMTR3DABCDFP7XSZGV4DVTRABCOPD5RDQRGOLTGQ%3D%3D%3D%3D&issuer=MyDomain' is not a valid authentication token barcode. As you can see the trailing = padding is encoded in the secret string and this seems to cause the error on iOS. No idea why this fails on iOS but not on Android but it is something we need to added Here is an old issue on GA GitHub which seems to be the same issue but with no resolution... https://github.com/google/google-authenticator/issues/267 & here is someone who has worked around the problem by seeding the string before encoding but this won't work in the scenario above Google Authenticator on Apple devices, certain secrets are not valid Any ideas as to why or a possible way around the problem?

iosone-time-passwordgoogle-authenticatorkey-generatorbase32

Reputation: 69

Invalid barcode - Google Authenticator - iOS - padding with =

We have a problem with Google Authenticator on iOS. We are using the below standard code snippet to generate a TOTP key

KeyGenerator keyGen = KeyGenerator.getInstance("AES");
keyGen.init(keySize);
byte[] byteKey = keyGen.generateKey().getEncoded();
Base32 base32 = new Base32();
return base32.encodeAsString(byteKey);

The code that is generated is padded at the end with trailing = signs as below.

6ICU5K45MHIZCMTR3DABCDFP7XSZGV4DVTRABCOPD5RDQRGOLTGQ====

We then generate an appropriate QR code based on this string but we have problems when it is scanned on some devices. This code works using Google Authenticator on Android but fails when using the iOS version with the following error...

Invalid barcode

The barcode 'otpauth://totp/MyDomain:[email protected]?secret=6ICU5K45MHIZCMTR3DABCDFP7XSZGV4DVTRABCOPD5RDQRGOLTGQ%3D%3D%3D%3D&issuer=MyDomain' is not a valid authentication token barcode.

As you can see the trailing = padding is encoded in the secret string and this seems to cause the error on iOS. No idea why this fails on iOS but not on Android but it is something we need to added

Here is an old issue on GA GitHub which seems to be the same issue but with no resolution... https://github.com/google/google-authenticator/issues/267

& here is someone who has worked around the problem by seeding the string before encoding but this won't work in the scenario above Google Authenticator on Apple devices, certain secrets are not valid

Any ideas as to why or a possible way around the problem?

Upvotes: 2

Answers (2)

paulslater19

Reputation: 5917

According the Google Authenticator repo (https://github.com/google/google-authenticator/wiki/Key-Uri-Format#algorithm), the padding (i.e. the = signs should be omitted from the secret parameter.

REQUIRED: The secret parameter is an arbitrary key value encoded in Base32 according to RFC 3548. The padding specified in RFC 3548 section 2.2 is not required and should be omitted.

Upvotes: 0

Martin

Reputation: 69

Just in case anyone else hits this problem, which I'm guessing they will given the issue is with iOS Google Authenticator, I solved the problem by string replacing the trailing = characters with base 32 encodable characters

Upvotes: 1

Invalid barcode - Google Authenticator - iOS - padding with =

Answers (2)

Related Questions