behnoodk
commented
5 years ago secret.base32 is what Google Authenticator expects when entering the secret manually. I have tested this with Google Authenticator for iOS.
Open pdashford opened 5 years ago
behnoodk
commented
5 years ago secret.base32 is what Google Authenticator expects when entering the secret manually. I have tested this with Google Authenticator for iOS.
dmitryrn
commented
5 years ago @behnoodk Is it safe to pass to user secret.base32? This is what we saving in our database and what anyone can use to generate 6-digits tokens.
behnoodk
commented
5 years ago @DmitryGG I'm not a security expert but here is what I know.
Totp is generated using a secret that is shared between user and provider. So your user must have the exact same secret that you saved in your database for them to be able to authenticate. You can either send them the plain base32 encoded secret to enter into Google Authenticator or a similar app like 1Password, or convert the secret to QRCode and send it. QRCode is just a convenient way for the user to enter the secret into their authenticator app.
I suggest you read this: https://github.com/google/google-authenticator/wiki/Key-Uri-Format
Hi all.
If the user is unable to scan the qrcode, google authenticator has a manual entry option. What would the user enter in this field, I would assume it would not be the secret key that gets generated? Thanks