Two-factor authentication with Google Authenticator - manually type key instead of scanning QR code

Asked 13/11, 2017 at 15:15 Answered 26/1, 2018 at 1:46

Solved qr-code two-factor-authentication one-time-password google-authenticator totp

In Google Authenticator app you can either scan a QR code or manually type a key provided by the issuer.

In the following screenshot you can see the setup of 2FA among Google Security settings, displaying how to get the TOTP by following the 2nd method.

My question is: how is this key generated?

I'm trying to support 2FA with Google Authenticator for my website and I found many references and docs about how to generate the QR code, but none even mentioning the alternate method.

Edit:

To be a bit clearer, I'm supporting 2FA with Google Authenticator in a Grails 3 webapp. I already implemented the whole user flow by generating a secret key (Base32 string) for each user, providing a QR code for users to scan, and verifying the TOTP on login. I used as dependencies:

org.jboss.aerogear:aerogear-otp-java, aerogear OTP to conveniently verify user secret key against the TOTP from GA
org.grails.plugins:qrcode, qrcode Grails plugin to generate the QR code

My question is about the 2 ways to add a new entry in Google Authenticator app: 1. scan QR code (everything ok on my side) 2. manually type the account name along with an alphabetic code (in my 1st screenshot, the code is provided within Google Security Settings)

You can see an explicatory screenshot from GA for Android:

How can I generate and provide such code (starting with fzee in the 1st screenshot, and named "provided key" in the 2nd one) to the user? I'm sure it's an encoding of the same data string also encoded in the QR code, but I don't know which (not simply Base32).

Exert answered 13/11, 2017 at 15:15 Comment(2)

#47368654 here you get all – Molecular 18/11, 2017 at 17:19

Thanks but my issue is not about the QR code support (generation, scan, etc): as I wrote above I already implemented the whole 2FA flow involving QR code scan. My question is about the 2nd input method Google Authenticator app supports, where you type an alphanumeric key (basically giving the same result as scanning the QR code): how can I generate it? – Exert 20/11, 2017 at 11:47

key = secret

The key should be the same as the secret you generated. Just test it by opening google authenticator and manually adding it as the key.

Check out the docs at the link below: https://support.google.com/accounts/answer/1066447?co=GENIE.Platform%3DiOS&hl=en

Morning answered 26/1, 2018 at 1:46 Comment(1)

I guess I made it a much bigger problem than it actually is, I used multiple sources as reference and was convinced that key was the result of some encoding of secret. I'm accepting this answer as it's the most concise, however thanks everyone for your answers! – Exert 31/1, 2018 at 11:38

The Google Authenticator Setup QR code is generated based on a few things, one of these is the "secret key", so depending on the codebase you are using to build it into your site the "secret key" is normally generated first and that key is then used to generate the QR code.

If you look at this node.js module you can see what I am talking about

// generate base32 secret
var secret = GA.encode('base 32 encoded user secret') || GA.secret();

// get QRCode in SVG format
var qrCode = GA.qrCode('akanass', 'otp.js', secret);

https://github.com/njl07/otp.js/#qrcode-generation

Here is another example site where you can manually generate the QR code, You can provide a Label, User, Key and URL, and that will then generate the QR code.

https://dan.hersam.com/tools/gen-qr-code.html

Let me know what codebase you are trying to use to implement this into your site then I can help you track down where the secret key is generated

Besides answered 14/11, 2017 at 1:43 Comment(4)

Thanks for your reply. I edited my question above as I guess I didn't explain myself clearly enough ;) – Exert 14/11, 2017 at 11:48

have you tried just using the Base32 string? if that does not work try Base32.decode(secret) – Besides 15/11, 2017 at 4:48

Yes, Base32 encoding was actually my 1st test, but it really seems it's not the solution. For example the string otpauth://totp/MySite:[email protected]?secret=EFWYTW6H1INJ3XQZ&issuer=MySite is encoded into a very long string (

N52HAYLVORUDULZPORXXI4BPJV4VG2LUMU5GK3LBNFWEA3LZONUXIZJOMNXW2P3TMVRXEZLUHVCUMV2ZKRLTMSBRJFHEUM2YKFNCM2LTON2WK4R5JV4VG2LUMU======

). Too long to manage (and it has right padding) – Exert 15/11, 2017 at 11:9

you just need the secret=EFWYTW6H1INJ3X‌QZ part - are you saying you only have access to the "very long string"? You will ether need to decode that then strip out the secret or you will need to figure out how to get only the secret key out with the code you are using, or try to use a different implementation if the one you are using does not allow the output of the secret – Besides 16/11, 2017 at 1:24

Recommended topics

Hot tags