How to generate a QR Code for Google Authenticator that correctly shows Issuer displayed above the OTP?

Solution 1

Warning: sharing your TOTP seed with third-parties breaks the very basic assumption of multi-factor authentication that the TOTP seed is secret.

Just figured this out.

As it turns out, I needed to encode all the special characters in the 'oauth', i.e., '$', '%', '=', etc.

So, using the same Google Charts URL as before, but encoding those characters, like this:

https://www.google.com/chart?chs=200x200&chld=M|0&cht=qr&chl=otpauth://totp/Example%3Aalice%40google.com%3Fsecret%3DJBSWY3DPEHPK3PXP%26issuer%3DExample

And it works correctly.

Solution 2

The responses recommending usage of Google Charts are absolutely terrible from information security point of view. That's essentially sharing the TOTP secret as well as your username ([email protected]) and issuer (Example) with a third-party company with no legal obligation to keep them secret, and doing that over a GET request! Doing so you violate not only every single assumption underlying multi-factor authentication but also most likely your organisation's information security policy. It nullifies any value added by MFA since the only factor that protects you from compromising your account in case of password breach is itself breached.

Just use any QR code generator as long as it's processing your data locally.

NEVER USE ONLINE QR GENERATORS FOR MFA SECRETS

On Linux I'd recommend the python-qrcode library that can print your QR code using UTF-8 characters on the console.

pip install qrcode

Then:

qr "otpauth://totp/Example:[email protected]?secret=JBSWY3DPEHPK3PXP&issuer=Example"

Solution 3

I use a different way using a local qrencode installation:

qrencode -o- -d 300 -s 10 "otpauth://totp/YOUR_IDENTIFICATION?secret=YOUR_SECRET" | display

In this way I can rebuild my lost authentication key library from what I had on my laptop.

If you are worried about the SECRET showing up in the bash history you can read the secret in hidden mode and use it:

read -p "Write your secre here (no output expected): " -s YOUR_SECRET
qrencode -o- -d 300 -s 10 "otpauth://totp/YOUR_IDENTIFICATION?secret=$YOUR_SECRET" | display

In this way, when you close the bash session, no trace of your secrets will available.

Author by

Mark J. Bobak

I wear a lot of hats at my current employer, NITS Solutions. I'm the Lead Oracle DBA, as well as the AWS Admin, and the general IT Specialist. Usually, if it has to do with computers, and it's not a coding problem, it'll probably land on my desk. I'm an Oracle ACE Alumni, and a member of the OakTable Network. In addition to my activity here, I participate in the Oracle Community Forums, and am active on the Oracle-L mailing list, of which I am the administrator. I am a regular speaker at local, regional, national, and international Oracle conferences. Finally, I have blog on WordPress, at https://markjbobak.wordpress.com/.

Updated on July 09, 2022