The key object (GoogleAuthenticatorKey) has a secret (the purpose of which is clear), scratch codes (the purpose is clear) and a verificationCode at UNIX Epoch. The purpose of the last one is not documented, and it's not used or passed anywhere (except to the repository).

Is there any purpose of that one and do we have to store it. If yes - please add to the documentation. If not - maybe get rid of it?

I just stumbled upon the same thing… maybe it's for storing the last verification code used, so that it can't be used again (as required by RFC6238)?

Hi @Glamdring, @pascal-hofmann, it's actually hinted at in the documentation (the PDF manual) but it's vague and incomplete. The verification code is used to verify what the first code is (the code generated at the start of the epoch). TOTP doesn't actually require the epoch to be the UNIX epoch, it's just the default value. But in reality I haven't seen anybody using a different epoch. And then, the key is saved without its configuration so you have to know its TOTP configuration to actually verify any code generated with it. Saving this information is actually a feature that should be provided. I'll consider trimming it away.