OTP URL generator

[odbaeu]

I love the feature of the OTP generator! But it's hard to get the right URL (e.g. otpauth://totp/generator?period=30&digits=6&secret=****************) into the field. Could you implement some sort of assistent which helps generating this URL? Or simply scan/upload the barcode?

Thanks! BTW: Buttercup is awesome!

[perry-mitchell]

Scanning a QR code would need camera integration, which we might consider. The browser extension will be able to scan webpages at some point to do this automatically. You can scan QR OTP codes in our mobile app already.

[odbaeu]

I think for the desktop app it's sufficient if we can just copy/paste the text code.

[DanielR-I]

I'm so glad I found this issue... as it was here I learned I needed to supply a URI and not just paste my "Secret Key" into a freshly added OTP field!

I was wondering what I was doing wrong, but all works now that I've followed the URI format otpauth://totp/generator?period=30&digits=6&secret=****************, and I see my OTP's now on my GNU/Linux desktop client, android phone app, and Firefox browser extension!

Looking forward to the requested assistant!

[SirOMGitsYOU]

Scanning a QR code would need camera integration, which we might consider. The browser extension will be able to scan webpages at some point to do this automatically. You can scan QR OTP codes in our mobile app already.

Would it be an easy enough temp-fix for now to by default have the field apply the URI format so when we put in the secret it's automatically applied in the correct URI format, as until finding this article I was about to give up as the 2FA is a big deal for me :D and that URI was kinda hidden to get OTP to work :D

[hellium6]

Agree with @SirOMGitsYOU and @odbaeu . I was having trouble understanding how to make TOTP work. I was entering the secret (like all other password managers do) and it was showing "ERROR".

Luckily I found this issue and this post on medium saying:

Storing your OTP authentication URIs within Buttercup is a great way to ensure that you don’t lose them if you lose your device

This is easier for new websites which shows the QR code and a URL inside the QR which can be directly inputted into Buttercup with the help of a qr scanner app. But I was having trouble adding websites I already have TOTP setup for in AndOTP. AndOTP doesn't show me the original otpauth url, but only the TOTP secret. It shows the QR code, but it shows on my phone screen, so I need another phone and a qr scanner app to scan it! Not ideal.

Thankfully I found a way. I can click the 3 dot button beside each TOTP code, access edit, which shows the secret. Then I can put the secret on a URL like this:

otpauth://totp/Test%3Atest%40test%40test?secret=<INPUT_SECRET_HERE>&issuer=test

for example:

otpauth://totp/Test%3Atest%40test%40test?secret=ABC123XYZ&issuer=test

I can then create a new field of type OTP and put the URL in and it shows me the TOTP code without issues. It works for all the websites I tried it for so far.

It seems to work even with these "test" strings into it. Seems to not matter what I put in between, as long as the secret is correct it seems to work. This way it doesn't even need a qr scanner app.

This makes me say, can't Buttercup just automate this somehow? If any input is given without "otpauth://" then it can assume it's a secret and put it in a url like above and accept it. Currently, it shows "ERROR" instead which would make new users worried, make them search around and if lucky find this issue or otherwise just give up.

[paulsybrandy]

I'm so glad I found this issue... as it was here I learned I needed to supply a URI and not just paste my "Secret Key" into a freshly added OTP field!

I was wondering what I was doing wrong, but all works now that I've followed the URI format otpauth://totp/generator?period=30&digits=6&secret=****************, and I see my OTP's now on my GNU/Linux desktop client, android phone app, and Firefox browser extension!

Looking forward to the requested assistant!

When I read your reply, I was hopeful that I may have found a way to successfully get 2FA codes to show up on Buttercup but this also does not seem to work for me. I have only ever had one ever successfully show up and work, and that is Firefox/Mozilla account. 😔

[odbaeu]

I'm so glad I found this issue... as it was here I learned I needed to supply a URI and not just paste my "Secret Key" into a freshly added OTP field! I was wondering what I was doing wrong, but all works now that I've followed the URI format otpauth://totp/generator?period=30&digits=6&secret=****************, and I see my OTP's now on my GNU/Linux desktop client, android phone app, and Firefox browser extension! Looking forward to the requested assistant!

When I read your reply, I was hopeful that I may have found a way to successfully get 2FA codes to show up on Buttercup but this also does not seem to work for me. I have only ever had one ever successfully show up and work, and that is Firefox/Mozilla account. 😔

I'm still using this method every day. Maybe your secret is incorrect or you need a different period/digits?

[paulsybrandy]

I'm still using this method every day. Maybe your secret is incorrect or you need a different period/digits?

Well ... I know the secret is correct because it works on both my desktop and mobile 2FA apps without an issue. However, I am not 100% sure how the period/digits work so the issue could reside there. I thought it would be as simple as copying and pasting the URI from Aegis (or my desktop 2FA app) into the 'otp' field in buttercup and it would work... just as it had for firefox. But then again, life is rarely ever simple. Thanks for your feedback,

[zicklag]

I just found this issue by searching for how to use the OTP feature, which I'm amazed works so nicely!

I think it'd be useful to have a docs page that outlines the nuances with this, and lets you know it is possible to use on desktop, with a bit of fiddling.

[zicklag]

For those on Linux, here are a couple QR code scanners on FlatHub that might be handy for getting the URLs:

• https://flathub.org/apps/dev.lasheen.qr
• https://flathub.org/apps/com.belmoussaoui.Decoder

[zicklag]

So, I've just setup OTP with 5 or 6 different sites, and they all had a "can't scan, enter the secret manually" that showed what the secret was without scanning the QR code. I think this could save us from needing to put QR code scanning in the app.

I'm thinking a great user experience would be to let you paste the secret in manually, without a URL, and have it auto-detect that the secret has been pasted instead of the URL, and just use the secret directly.

Would you be open to that experience @perry-mitchell? I probably won't have the time for a PR, but if I end up with it, it'd be accepted.

[perry-mitchell]

I don't believe the secret is enough, by itself. Maybe some items are possible to gleam from the website but that sounds dubious.

I've personally not seen a single site yet that provides just the secret - though I have seen some that provide both the QR and the full OTP URI.

Imo this will be handled best by the QR scanner we're adding to the browser extension, which will auto detect such codes.

[odbaeu]

hmm, that's interesting because I've never seen a webpage which provides the OTP URI. Usually they provide the barcode and as alternative method they provide a secret.

I actually opened this issue for 2 reasons. First, the obvious reason which I also wrote in the description and second, to help others who are struggling with the same thing :-).

For me it was a coincident that I found out how to use the OTP feature of Buttercup. Back then we used KeePass at work and in KeePassXC there was a function to extract the OTP URI. I just randomly copied that URI to buttercup and it worked.

[perry-mitchell]

I would like to lean more heavily on the browser extension for OTP capture, as that's where you'll encounter most OTP QR codes. The extension and the mobile app.

Both need to have visual helpers to capture the codes imo, with the browser being the more-tricky of the two in this regard.

The desktop app is not a place I see the majority of users configuring OTPs.. though it probably is at the moment due to the slightly broken user experience of saving OTPs.

Definitely an area we need to work on!