Terence Eden

Why is there no formal specification for otpauth URls?

Yes yes, Cunningham's law etc etc!

I want to play around with 2FA codes. So, I started looking for the specification. Turns out, there isn't one. Not really.

IANA has a provisional registration - but no spec.

It links to an archived Google Wiki which, as we'll come on to, isn't sufficient.

There's some doc

shkspr.mobi/blog/2022/05/why-i

#/etc/ #2fa #qr #security #totp

1+
Terence Eden

I would fucking *love* soneone on cybersecurity Maston to prove me wrong.
Please! Show me how stupid I am and how obvious it os to find a formal specification of the otpauth URl structure.

1
Patrice Ferlet aka MΣƬΛᄂ3D

@Edent in theory, you should see the qrcode or base32 password once and only if you're authenticated. Then the website will never show you the same qrcode again. If you lose the key, that should completely block you. I probably didn't understand well your question (I'm French)

1
Patrice Ferlet aka MΣƬΛᄂ3D
Suivre

@Edent but there is an RFC for 2FA and the algorithm is explained. I was writing a tutorial ( and ). Didn't finished yet.

· · Tusky · 1 · 0 · 0
Patrice Ferlet aka MΣƬΛᄂ3D

@Edent in case of, the RFC is also described by Google here: github.com/google/google-authe

1
Terence Eden

@metal3d yes, I linked to that in my blog post above.
See shkspr.mobi/blog/2022/05/why-i

But that specification is incomplete and doesn't fully describe the format.

1
Patrice Ferlet aka MΣƬΛᄂ3D

@Edent ho sorry I didn't take the time to read and I answered too fast.

1+
Terence Eden

@metal3d no worries.

1
Patrice Ferlet aka MΣƬΛᄂ3D

@Edent I will give you my opinion (I can be wrong). RFC gives recommandations about time step and replay (allow user to be in late). So I would say: never use something in the URL which is not describes in RFC. For example, icons is not described (it's not related to authentication). It's a bit like css which has got vendor prefix, I never use them.

1
Patrice Ferlet aka MΣƬΛᄂ3D

@Edent but yes, that's right, a global and official specification should be written for totp URLs

1
Patrice Ferlet aka MΣƬΛᄂ3D

@Edent and a good otp app should not ask something which is not in spec. I personally use Bitwarden without any problem. And afaik they don't support anything else than the basic parameters.

0
Patrice Ferlet aka MΣƬΛᄂ3D

@Edent lol I love the apple specification you linked which is exactly the same than Google one but prefixed by "apple-".
developer.apple.com/documentat

0
Inscrivez-vous pour prendre part à la conversation
techlover

Technology lovers, here we are — (development, digital artwork, science…)

Ressources

Développeurs

Qu’est-ce que Mastodon ?

techlover.eu

Davantage…