How to generate a QR Code for Google Authenticator that correctly shows Issuer displayed above the OTP?

一笑奈何 提交于 2019-12-20 08:29:14

问题


Warning: sharing your TOTP seed with third-parties breaks the very basic assumption of multi-factor authentication that the TOTP seed is secret.

So, I'm aware of the documentation on this, found here: Google Authenticator Key URI Format

When I follow this example from that page:

otpauth://totp/Example:alice@google.com?secret=JBSWY3DPEHPK3PXP&issuer=Example

And I 'splice' it into a Google Charts URL, thus:

https://www.google.com/chart?chs=200x200&chld=M|0&cht=qr&chl=otpauth://totp/Example:alice@google.com?secret=JBSWY3DPEHPK3PXP&issuer=Example

It will display a valid QR code, and if I scan it with my Google Authenticator app on my phone, it will begin to generate valid OTPs.

However, in the display on the phone, for the entry created by the QR code, I get the OTP, and under it, I get 'Example:alice@google.com'. What I want, is to have 'Example' displayed above the OTP, and 'alice@google.com' displayed below the OTP. I can't help but notice that's the way all the professionally produced apps do it. For example, Google, Wordpress, Amazon, etc. The company name is above the OTP, and the username is displayed below the OTP. Yes, this is purely a cosmetic issue, but I want to get it right.

Can anyone offer me a clue?


回答1:


I use a different way using a local qrencode installation:

qrencode -o- -d 300 -s 10 "otpauth://totp/YOUR_IDENTIFICATION?secret=YOUR_SECRET" | display

In this way I can rebuild mt lost authentication key library from what I had on my laptop.




回答2:


Warning: sharing your TOTP seed with third-parties breaks the very basic assumption of multi-factor authentication that the TOTP seed is secret.

Just figured this out.

As it turns out, I needed to encode all the special characters in the 'oauth', i.e., '$', '%', '=', etc.

So, using the same Google Charts URL as before, but encoding those characters, like this:

https://www.google.com/chart?chs=200x200&chld=M|0&cht=qr&chl=otpauth://totp/Example%3Aalice%40google.com%3Fsecret%3DJBSWY3DPEHPK3PXP%26issuer%3DExample

And it works correctly.




回答3:


The responses recommending usage of Google Charts are absolutely terrible from information security point of view. That's essentially sharing the TOTP secret as well as your username (alice@google.com) and issuer (Example) with a third-party company with no legal obligation to keep them secret, and doing that over a GET request! Doing so you violate not only every single assumption underlying multi-factor authentication but also most likely your organisation's information security policy. It nullifies any value added by MFA since the only factor that protects you from compromising your account in case of password breach is itself breached.

Just use any QR code generator as long as it's processing your data locally.

NEVER USE ONLINE QR GENERATORS FOR MFA SECRETS

On Linux I'd recommend the python-qrcode library that can print your QR code using ASCII characters on the console.

pip install qrcode

Then:

qr "otpauth://totp/Example:alice@google.com?secret=JBSWY3DPEHPK3PXP&issuer=Example




回答4:


Just want to note, newer versions for Google Authenticator will use the issuer parameter, documented here:

https://github.com/google/google-authenticator/wiki/Key-Uri-Format#issuer

e.g:

https://chart.googleapis.com/chart?chs=200x200&cht=qr&chl=otpauth%3A//totp/User%2540Realm%3Fsecret%3DKO5DE2YD3Q2ZXEOO%26issuer%3DIssuer%2520Name&choe=UTF-8




回答5:


Go to Settings->Change account settings->2-Step Verification->Authenticator app (Default)->Click on edit (edit symbol in left corner)->Change phone. Here you will get a QR code.Scan from your phone with bar code scanner

Valai



来源:https://stackoverflow.com/questions/34520928/how-to-generate-a-qr-code-for-google-authenticator-that-correctly-shows-issuer-d

易学教程内所有资源均来自网络或用户发布的内容,如有违反法律规定的内容欢迎反馈
该文章没有解决你所遇到的问题?点击提问,说说你的问题,让更多的人一起探讨吧!