speakeasy icon indicating copy to clipboard operation
speakeasy copied to clipboard
verified publisher icon speakeasyjs

Manual entry

Open pdashford opened this issue 7 years ago • 3 comments

Hi all.

If the user is unable to scan the qrcode, google authenticator has a manual entry option. What would the user enter in this field, I would assume it would not be the secret key that gets generated? Thanks

pdashford avatar Oct 30 '18 12:10 pdashford

secret.base32 is what Google Authenticator expects when entering the secret manually. I have tested this with Google Authenticator for iOS.

behnoodk avatar Oct 31 '18 14:10 behnoodk

@behnoodk Is it safe to pass to user secret.base32? This is what we saving in our database and what anyone can use to generate 6-digits tokens.

dmitryrn avatar Nov 01 '18 12:11 dmitryrn

@DmitryGG I'm not a security expert but here is what I know.

Totp is generated using a secret that is shared between user and provider. So your user must have the exact same secret that you saved in your database for them to be able to authenticate. You can either send them the plain base32 encoded secret to enter into Google Authenticator or a similar app like 1Password, or convert the secret to QRCode and send it. QRCode is just a convenient way for the user to enter the secret into their authenticator app.

I suggest you read this: https://github.com/google/google-authenticator/wiki/Key-Uri-Format

behnoodk avatar Nov 01 '18 14:11 behnoodk