Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Invalid TOTP URL for QR code #25

Open
reepy opened this issue Apr 2, 2020 · 4 comments
Open

Invalid TOTP URL for QR code #25

reepy opened this issue Apr 2, 2020 · 4 comments

Comments

@reepy
Copy link

reepy commented Apr 2, 2020
edited

I was trying to get bna to generate a URL, to create a QR code so I could add it to AndOTP.

However, the QR code wouldn't scan. AndOTP ('Invalid QR code'), Authy ('Invalid format, token format not supported') or FreeOTP ('The token specified was invalid') could use the QR code because of a missing colon. Google Authenticator scans it without issue.

The spec doesn't specify the colon is required.

As soon as the colon is added it works. The colon is present in the example in README.md under 'Getting an OTPAuth URL'.

Steps to reproduce:

  1. Setup bna
  2. Run bna show-url
  3. You'll notice the code is missing the colon before the question mark. This means you can't import this URL into common TOTP apps.

For example: otpauth://totp/Blizzard:SERIAL?secret=SERCRET&issuer=Blizzard&digits=8
Should be: otpauth://totp/Blizzard:SERIAL:?secret=SERCRET&issuer=Blizzard&digits=8

You can verify this:

  1. Install a QR code generator pip3 install qrcode[pil]
  2. Run qr "PASTEURLHERE"
  3. Try and scan the QR code. You'll notice you get an error.
  4. Repeat step 2, but add the missing colon.
  5. Try and scan the QR code. You'll notice it works this time.
@DLslime
Copy link

DLslime commented Jun 10, 2020
edited

No, it doesn't work. AndOTP still can't scan that QR code until you delete &digits=8 manually.

@mprobson
Copy link

Deleting the &digits=8 let me scan the code but then I was unable to use it (or modify it to generate more digits)

@DLslime
Copy link

DLslime commented Jun 15, 2020

AndOTP don't allow you to modify OTP's digits after you add it by scan the QR code. So anyway, it is definitely AndOTP's own defect.
Other authentication Apps should be tested to see whether they also have the similar problem.

@reepy
Copy link
Author

reepy commented Jul 14, 2020

I tried other TOTP apps and it's in the original report (without removing &digits=8):

  • AndOTP - 'Invalid QR code'
  • Authy - 'Invalid format, token format not supported'
  • FreeOTP - 'The token specified was invalid'.

I've just tried a few more:

So maybe the standard is unclear and some are OK with the colon and others aren't?

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
3 participants
@reepy @mprobson @DLslime