Manual entry

Question

Manual entry

pdashford opened this issue 6 years ago · comments

Hi all.

If the user is unable to scan the qrcode, google authenticator has a manual entry option. What would the user enter in this field, I would assume it would not be the secret key that gets generated? Thanks

Mohsen Khani · Answer 1 · Wed Oct 31 2018 22:35:54 GMT+0800 (China Standard Time)

secret.base32 is what Google Authenticator expects when entering the secret manually. I have tested this with Google Authenticator for iOS.

Dimitri Rog · Answer 2 · Thu Nov 01 2018 20:27:06 GMT+0800 (China Standard Time)

@behnoodk Is it safe to pass to user secret.base32? This is what we saving in our database and what anyone can use to generate 6-digits tokens.

Mohsen Khani · Answer 3 · Thu Nov 01 2018 22:04:05 GMT+0800 (China Standard Time)

@Dmitrygg I'm not a security expert but here is what I know.

Totp is generated using a secret that is shared between user and provider. So your user must have the exact same secret that you saved in your database for them to be able to authenticate. You can either send them the plain base32 encoded secret to enter into Google Authenticator or a similar app like 1Password, or convert the secret to QRCode and send it. QRCode is just a convenient way for the user to enter the secret into their authenticator app.

I suggest you read this:
https://github.com/google/google-authenticator/wiki/Key-Uri-Format