What data do I have to use to generate a QR code for Google Authenticator?

Question

I want to utilize the Google Authenticator app for login purposes in our application.

I'm using speakeasy to generate the base data for the authentication. It can also spit out a URL to a Google website that generates a QR code which I can scan with Google Authenticator to set up the scheme.

I want to generate the QR code myself, mainly because I want to display it in the console using qrcode-terminal.

What data do I have to encode in the QR code to make it work?

Answer 1

The string you have to encode is:

otpauth://totp/ApplicationName?secret= + key.base32

• ApplicationName is the name of your application that you want to have displayed in Google Authenticator.

Your implementation would look something like this:

var key = speakeasy.generate_key( {length : 20} );
qrcode.generate( "otpauth://totp/foo?secret=" + key.base32, function( qrcode ) {
  console.log( qrcode );
} );

There's also official documentation available on the format.

Answer 2

What data do I have to encode in the QR code to make it work?

Google Authenticator has a wiki. The KeyUriFormat has the following example:

Provision a TOTP key for user "alice@google.com", to use with a service provided by Example, Inc:

otpauth://totp/Example:alice@google.com?secret=JBSWY3DPEHPK3PXP&issuer=Example

This Base32 encoded key "JBSWY3DPEHPK3PXP" has the value:

byte[] key = { 'H', 'e', 'l', 'l', 'o', '!', (byte) 0xDE, (byte) 0xAD, (byte) 0xBE, (byte) 0xEF };

Its important to use the company name ("Example") in both the beginning and the end (with the issuer). See ConflictingAccounts for details.