Why is there no formal specification for otpauth URls?
Yes yes, Cunningham's law etc etc!
I want to play around with 2FA codes. So, I started looking for the specification. Turns out, there isn't one. Not really.
IANA has a provisional registration - but no spec.
It links to an archived Google Wiki which, as we'll come on to, isn't sufficient.
There's some doc
https://shkspr.mobi/blog/2022/05/why-is-there-no-formal-specification-for-otpauth-urls/
@Edent in theory, you should see the qrcode or base32 password once and only if you're authenticated. Then the website will never show you the same qrcode again. If you lose the key, that should completely block you. I probably didn't understand well your question (I'm French)
@Edent in case of, the RFC is also described by Google here: https://github.com/google/google-authenticator/wiki/Key-Uri-Format
@metal3d yes, I linked to that in my blog post above.
See https://shkspr.mobi/blog/2022/05/why-is-there-no-formal-specification-for-otpauth-urls/
But that specification is incomplete and doesn't fully describe the format.
@Edent ho sorry I didn't take the time to read and I answered too fast.
@metal3d no worries.
@Edent and a good otp app should not ask something which is not in spec. I personally use Bitwarden without any problem. And afaik they don't support anything else than the basic parameters.