[ Tested on Okta MFA ] QRCode scanned doesn't have any "secret=" and hence unable to get required secret

[dannyi96]

Firstly, Kudos to this amazing project which is helping us automate a lot of things

Wanted to report & get some feedback on one of the issues we were facing w.r.t to Okta MFA ( apologies if query is trivial, have limited knowledge of under the hood aspects of 2FA )

Problem Description: In the tutorials, all the QR codes scanned generate a URL of the form:

otpauth://totp/alice@google.com?secret=JBSWY3DPEHPK3PXP

which is further used in the pyotp APIs

However in our enterprise solution, the QR code generates a URL of the form

otpauth://totp/<company>.okta.com:danielis%40<company>.net?issuer=<company>.okta.com&t=XYXYXYXYXYXYXYXYXYXY&f=ABABABABABABABABABAB&s=https%3A%2F%2F<company>.okta.com&touchIdRequired=false

and doesn't have this secret parameter

Hence the usual method of

totp = pyotp.TOTP("secret")
print("Current OTP:", totp.now())

doesn't work here.

Is this a known limitation ? any insights on this would be highly appreciated. Thanks in advance.

[kislyuk]

Hi, thanks for your interest in PyOTP.

The otpauth URI you noted is not compatible with the otpauth URI specification. In particular, the secret parameter is required: https://github.com/google/google-authenticator/wiki/Key-Uri-Format#secret.

This is further described here: https://battlepenguin.com/tech/replacing-okta-verify-with-open-source-software/

[dannyi96]

thanks a lot @kislyuk for the response & the references. They're really helpful.

[dannyi96]

just wanted to update that it works with Okta MFA as well on following the article you mentioned - https://battlepenguin.com/tech/replacing-okta-verify-with-open-source-software/

( Not sure if this is something worth mentioning in the pyOTP docs as it could help others who are using Okta as well )

but again, thanks for the valuable response 🙂