noggin
noggin copied to clipboard
OTP token URI parameters order is wrong
The parameters order in the generated URI for the OTP token is wrong.
To be correctly displayed in authenticator apps, the order should be:
otpauth://<TYPE>/<ISSUER>:<ACCOUNT>?secret=<SECRET>&<OPTIONAL_PARAMS>
while Nogging generates:
otpauth://<TYPE>/<username@domain>:<OTP_DESCRIPTION>?secret=<SECRET>&issuer=<username@domain>
while it should be something like:
otpauth://<TYPE>/Fedoraproject%20staging:[email protected]?secret=<SECRET>&issuer=Fedoraproject%20staging>
That's what we had before, and I've been asked to change it in #607. I don't really know what's best, to be honest.
Well, the standard was set by Google: https://github.com/google/google-authenticator/wiki/Key-Uri-Format see also: https://docs.yubico.com/yesdk/users-manual/application-oath/uri-string-format.html
I understand that Noggin is a special case: it is the only one service where I can have more than one 2FA token for my account enabled at the same time. But I think users can easily rename tokens as they prefer on the authenticator app (for example, Authenticator Pro allows that)