RobThree
commented
2 years ago When I scan the QR code from the demo MS Authenticator shows issuer just fine? Does the demo work for you?
!
Closed ubay25 closed 4 months ago
RobThree
commented
2 years ago When I scan the QR code from the demo MS Authenticator shows issuer just fine? Does the demo work for you?
!
ubay25
commented
2 years ago Thanks for your reply.
From the image below, the bottom bit uses your demo without changes. The one above when I change the text "Demo" to an email address on the QR code generator.
RobThree
commented
2 years ago Then I guess that's something MS Authenticator does.
Try replacing the @ with something like [at] or - or _@ where _ is a space for test purposes. If that worked you can try escaping the @ to something like %40. But I'm 99.99% sure other authenticators will then show it incorrectly.
ubay25
commented
2 years ago Yes it seems the @ symbol is the one triggering this behaviour in MS authenticator.
Only strange thing is I have other accounts on my MS authenticator with both the account name and email address showing correctly.
RobThree
commented
2 years ago Then have a look at the QR codes you used for those accounts and spot the difference. Did you try my replace/escape suggestions?
ubay25
commented
2 years ago Yes I tried those and it works to display the account name although the email address will be displayed as it is (i.e. demo%40outlook.com, demo[at]outlook.com).
RobThree
commented
2 years ago I'm sorry, but it seems to me that this is an MS Authenticator issue?
willpower232
commented
2 years ago On the other hand, Google Authenticator works fine with this.
yeah I think its down to individual OTP clients, if there is one secret you have that works perfectly and you can send us the secret otpauth:// URL (redacted of course) we can probably figure it out but otherwise I don't think there is much that can be done
ubay25
commented
2 years ago On the other hand, Google Authenticator works fine with this.
yeah I think its down to individual OTP clients, if there is one secret you have that works perfectly and you can send us the secret otpauth:// URL (redacted of course) we can probably figure it out but otherwise I don't think there is much that can be done
Here's the URL, hope this is what you need? otpauth://totp/user%40email.com?secret=NRF33J4DOV7UENM6&issuer=My%20App&period=30&algorithm=SHA1&digits=6
willpower232
commented
2 years ago only if that one displays correctly in MS Authenticator?
ubay25
commented
2 years ago This one does -- otpauth://totp/demo%5Bat%5Doutlook.com?secret=7TOJE6Q7VDULS74T&issuer=RobThree%20TwoFactorAuth&period=30&algorithm=SHA1&digits=6
But please note that I have to replace the @ sign with [at] in order for the account name (RobThree TwoFactorAuth) to show on the MS authenticator.
RobThree
commented
2 years ago I'm afraid there's not much we can do in this matter.
greyrockinnovations
commented
2 years ago You can solve this by using the following format in the first parameter of your QR code generator; 'MyApp:UserEmail', e.g.
$tfa->getQRCodeImageAsDataUri('Example App:user@example.com', $secret);
willpower232
commented
2 years ago Interesting, I was not aware this is part of the spec apparently
https://docs.yubico.com/yesdk/users-manual/application-oath/uri-string-format.html https://github.com/google/google-authenticator/wiki/Key-Uri-Format
Presumably there is nothing stopping you from passing name:email as the label when calling for the QR code, it would be a little dramatic to support an extra parameter without breaking backwards compatibility but I'll have a mess around at some point as I need to redo my implementation anyway.
JakobBernoulli
commented
1 year ago Hi Rob
Your 2FA is great. I also had problems to display the issuer. While analyzing your code of the TwoFactorAuth class I came across this link. I think the order of your values at Line 158 till 159 are not correct. If I rewrote them as follows and the issuer is shown in all 2FA apps tested (2FAS Auth, FreeOTP).
Code should be acc my opinion
return 'otpauth://totp/' . rawurlencode((string)$this->issuer) . ':' . rawurlencode($label)
. '?secret=' . rawurlencode($secret)
. '&issuer=' . rawurlencode((string)$this->issuer)
. '&period=' . $this->period
. '&algorithm=' . rawurlencode(strtoupper($this->algorithm->value))
. '&digits=' . $this->digits;
RobThree
commented
1 year ago What you're proposing isn't (just) order, it changes the issuer argument to something with a colon-separator. And that's not how it is shown in the page you linked:
otpauth://totp/ACME%20Co:john.doe@email.com?secret=HXDMVJECJJWSRB3HWIZR4IFUGFTMXBOZ&issuer=ACME%20Co&algorithm=SHA1&digits=6&period=30
However, it is explained in the label section to provide the issuer argument as well as in the label. So then you could just add the issuer to the $label argument in the getQRCodeImageAsDataUri() call. We COULD auto-prefix the label with the $issuer (which comes from a constructor argument) but then we would need to add a little code to 'detect' wether the $label argument already contains an issuer or not (and if it does - what to do: ignore the issuer from the $label argument and use the given $issuer OR risk a different &issuer=... and issuer from $label value in the TOTP uri...).
Also if order would matter then the whole 'key=value' would be pointlessless; if order actually matters for a client then the client is not... 'very smart'.
NicolasCARPi
commented
4 months ago Can we close this issue? This would bring the total number of open issues to 0 :tada: !
RobThree
commented
4 months ago You do the honors, you've worked hard enough for it 😉
Firstly, thanks for this library, very useful and easy to use.
When I initialize the class and specify a name ( i.e. $tfa = new TwoFactorAuth('My App'); ) MS Authenticator doesn't seem to apply this and uses the domain name of the email address as the account name on its authenticator app.
On the other hand, Google Authenticator works fine with this.
Any ideas?