Closed shanehoban closed 2 years ago
The QRCode composed by an address like this:
otpauth://totp/company:holder?secret={$secretKey}&issuer=company&algorithm=SHA1&digits=6&period=30
What you are looking for is probably the just "secret key", which is the one responsible for generating the codes on your phone, that you may be already using like this:
$google2fa->generateSecretKey();
Authy is doing is probably encoding that secret key using an internal algorithm, but if in the end if they are using the same OTP Google algorithm, they have to use the exact same secret key generation this package uses.
The risk of losing a QRCode and a secret key are the same, if you loose one of them your account is already compromised, so maybe you don't even need to double encode it (but, honestly, I would!) and you could just do
$google2fa->generateSecretKey(); // generates AL77CK2NTRXXF2WO
echo implode(' ',str_split(strtolower($google2fa),4));
// al77 ck2n trxx f2wo
Using Authy as an example, in the cases where the user cannot scan a QR code, you have the ability to enter a code to enable 2FA:
Can this library support this option or is this something that can be implemented?
Thanks, otherwise this works flawlessly, much appreciated!
Edit: Image example