Track issuer name from TOTP URIs

[ddevault]

I would like to see a reference of issuer names from TOTP URIs for reference, and this seems like a good project to host such a list.

[mxxcon]

I don't understand your request. Please elaborate.

[ddevault]

The QR code you scan for software auth encodes an otpauth:// URI, which includes the secret key but also the name of the issuer and the account name (i.e. "Google" and "someguy@gmail.com"). I think this project would be useful to people implementing TOTP apps (like me) as a database of issuer names and logos for the associated issuer.

[mxxcon]

We already have logos.

As for the issuer, the problem here, if we were to add it, is that to get this info we'd need to actually create accounts on every single site to get the actual QR code and extract issuer parameter. It might create too much of a friction for users to keep adding sites. Also what use/benefit would knowing the issuer parameter would be for the users of tfa.org site?

[ddevault]

Could be optional, and adding them would be a volunteer effort over time. I imagine they wouldn't be of any use to people on tfa.org, but would just be extra data in the YAML files that people can use for making TFA support better in the world in general.

[RichJeanes]

So you're talking about making a 2FA token app that pulls site logos based on their issuer name to display next to user account tokens (eg. How Authy displays site logos), but as a publicly available database for any developer to use. Is that an accurate statement? This would be a rather large responsibility then, if apps start relying on this site. I feel like that does not quite line up with our current objectives for the site and would require quite a bit of internal discussion, were we to consider it.

[ddevault]

Right, similar to that. And I don't expect anyone to hit the website, more like add this repo as a submodule.

[RichJeanes]

That seems like it would be better off as a separate project. I don't think anyone here would have an issue with someone else using the icons we have gathered to create a new GitHub repo to house that.

[mxxcon]

how does authy get logos in its app? somebody manually adds them? How many sites that offer totp utilize issuerer parameter?

[ddevault]

Authy was presumably manual. Pretty much everyone provides the issuer parameter.

[RichJeanes]

I don't know how that works with the free tier, but I would imagine that the paying customers of Authy have some hand in that part of the process.

[mxxcon]

One thing to consider is that we intentionally kept things very generic with hardware/software/email/sms/phone so that we don't have to go on a hunting expedition of what exact 2fa implementation is being used.

Who's going to populate all the existing entries with that field? What is a simple process to extract that issuerer parameter?

[RichJeanes]

It only applies to standard TOTP and can be extracted from the setup QR code when adding 2FA to an account using any barcode scanner app that will display the plaintext (eg. Zxing)

But I still don't think it is within the scope of this project.

[gingerbeardman]

Just an aside. I previously used Authy and icons are definitely manual by somebody there. About half my services did not have an icon, and my support request asking for more, or user-added, icons was answered with "we are already aware of this". I no longer use Authy

[Carlgo11]

@gingerbeardman This really doesn't have anything to do with this issue so I suggest you open another one if you feel this is something relevant to this repo.

Authy came out with an update about a month ago with lots of new icons. I brought the lack of icons up with them when I visited their offices earlier this fall and they said they have other plans as well to fix this issue. Furthermore Authy is still one of the best 2FA apps in my opinion. Their encrypted backups is something I haven't seen on any other 2FA app and they're updating the app regularly.

[gingerbeardman]

Even after that Authy update I was still short a lot of icons. Plus they did not fix the bugs I reported in the last 3 updates.

I now use 2STP on iOS and Mac (read only) and IMHO it beats Authy in pretty much every area apart from - ironically - icons. I especially love the "export QR codes" feature which will make migration to another app easy if/when I need to do that.

But, yeah, off topic - sorry :)