Communities

Writing
Writing
Codidact Meta
Codidact Meta
The Great Outdoors
The Great Outdoors
Photography & Video
Photography & Video
Scientific Speculation
Scientific Speculation
Cooking
Cooking
Electrical Engineering
Electrical Engineering
Judaism
Judaism
Languages & Linguistics
Languages & Linguistics
Software Development
Software Development
Mathematics
Mathematics
Christianity
Christianity
Code Golf
Code Golf
Music
Music
Physics
Physics
Linux Systems
Linux Systems
Power Users
Power Users
Tabletop RPGs
Tabletop RPGs
Community Proposals
Community Proposals
tag:snake search within a tag
answers:0 unanswered questions
user:xxxx search by author id
score:0.5 posts with 0.5+ score
"snake oil" exact phrase
votes:4 posts with 4+ votes
created:<1w created < 1 week ago
post_type:xxxx type of post
Search help
Notifications
Mark all as read See all your notifications »
Q&A

Welcome to the Power Users community on Codidact!

Power Users is a Q&A site for questions about the usage of computer software and hardware. We are still a small site and would like to grow, so please consider joining our community. We are looking forward to your questions and answers; they are the building blocks of a repository of knowledge we are building together.

Comments on Synchronize OTP across multiple devices

Parent

Synchronize OTP across multiple devices

+4
−0

A lot of sites these days use OTP. I'm not very familiar with this, but you normally install an app like Google Authenticator on your phone. The app serves an OTP code on demand which you enter along with your user/pass into the website's login form.

For something like this, I really dislike using software from proprietary vendors. Ideally it should be something as open as possible.

Also, with many of these apps, it seems like your phone is the single point of failure. Maybe some people consider their phone very precious, but for me this is a concern - I might lose my phone, I might reinstall the OS, I don't really want to create a situation where losing access to my phone means also means losing access to my bank account.

Is there an OTP solution I can use, where my "account" can be synchronized across devices (Android, Linux PC) so that for example when a website asks me for the OTP code, I have the option of generating that from my phone as well as my computer?

History
Why does this post require attention from curators or moderators?
You might want to add some details to your flag.
Why should this post be closed?

0 comment threads

Post
+3
−0

The QR code for Time-based one-time passwords (TOTP) just contains some secret info[1] to seed the TOTP app.[2] You can dump it into another implementation of TOTP. The seed and the current time will predictably create the same rotating value at the same time.

On the website where you're configuring MFA, find the button or link that says "I don't want to use a QR code." You should be able to take the secret data and enter it somewhere else. Most decent password managers have a place for a TOTP seed.

If you add it everywhere you need it when you first set up TOTP, any of those devices will work as the second factor. You can confirm that they all show the same value at the same time. Obviously, that seed is really important to keep safe. Anyone with that data has your second-factor.


  1. It's usually just a secret key, but could also include, say, how often the TOTP should cycle. The default is typically 30 seconds. ↩︎

  2. It doesn't have to be Google Authenticator. There are fully open-source implementations. ↩︎

History
Why does this post require attention from curators or moderators?
You might want to add some details to your flag.

1 comment thread

Some more detail (1 comment)
Some more detail
matthewsnyder‭ wrote 3 months ago

Thank you for this pointer!

It sounds like the QR code you get is usually like otpauth://totp/MyApp:user@example.com?secret=JBSWY3DPEHPK3PXP&issuer=MyApp&algorithm=SHA256. So it contains all the other crucial pieces like which hash algorithm as well.

So even if the site is crappy and doesn't have the option for no QR code, any QR code decoder should be able to pull the important information out.