Why is there no formal specification for otpauth URls?
Yes yes, Cunningham's law etc etc!
I want to play around with 2FA codes. So, I started looking for the specification. Turns out, there isn't one. Not really.
IANA has a provisional registration - but no spec.
It links to an archived Google Wiki which, as we'll come on to, isn't sufficient.
There's some doc
https://shkspr.mobi/blog/2022/05/why-is-there-no-formal-specification-for-otpauth-urls/
@Edent in case of, the RFC is also described by Google here: https://github.com/google/google-authenticator/wiki/Key-Uri-Format
@metal3d yes, I linked to that in my blog post above.
See https://shkspr.mobi/blog/2022/05/why-is-there-no-formal-specification-for-otpauth-urls/
But that specification is incomplete and doesn't fully describe the format.
@Edent ho sorry I didn't take the time to read and I answered too fast.
@metal3d no worries.
@Edent I will give you my opinion (I can be wrong). RFC gives recommandations about time step and replay (allow user to be in late). So I would say: never use something in the URL which is not describes in RFC. For example, icons is not described (it's not related to authentication). It's a bit like css which has got vendor prefix, I never use them.
@Edent but yes, that's right, a global and official specification should be written for totp URLs
@Edent and a good otp app should not ask something which is not in spec. I personally use Bitwarden without any problem. And afaik they don't support anything else than the basic parameters.
@Edent lol I love the apple specification you linked which is exactly the same than Google one but prefixed by "apple-".
https://developer.apple.com/documentation/authenticationservices/securing_logins_with_icloud_keychain_verification_codes
@Edent but there is an RFC for 2FA and the algorithm is explained. I was writing a tutorial (#Python and #Go). Didn't finished yet.