Communities

Writing
Writing
Codidact Meta
Codidact Meta
The Great Outdoors
The Great Outdoors
Photography & Video
Photography & Video
Scientific Speculation
Scientific Speculation
Cooking
Cooking
Electrical Engineering
Electrical Engineering
Judaism
Judaism
Languages & Linguistics
Languages & Linguistics
Software Development
Software Development
Mathematics
Mathematics
Christianity
Christianity
Code Golf
Code Golf
Music
Music
Physics
Physics
Linux Systems
Linux Systems
Power Users
Power Users
Tabletop RPGs
Tabletop RPGs
Community Proposals
Community Proposals
tag:snake search within a tag
answers:0 unanswered questions
user:xxxx search by author id
score:0.5 posts with 0.5+ score
"snake oil" exact phrase
votes:4 posts with 4+ votes
created:<1w created < 1 week ago
post_type:xxxx type of post
Search help
Notifications
Mark all as read See all your notifications »
Q&A

Welcome to the Power Users community on Codidact!

Power Users is a Q&A site for questions about the usage of computer software and hardware. We are still a small site and would like to grow, so please consider joining our community. We are looking forward to your questions and answers; they are the building blocks of a repository of knowledge we are building together.

Post History

71%
+3 −0
Q&A Synchronize OTP across multiple devices

The QR code for Time-based one-time passwords (TOTP) just contains some secret info[1] to seed the TOTP app.[2] You can dump it into another implementation of TOTP. The seed and the current time wi...

posted 2mo ago by Michael‭  ·  edited 2mo ago by Michael‭

Answer
#2: Post edited by user avatar Michael‭ · 2024-09-12T20:03:33Z (2 months ago)
Rearrange. Add a caution.
  • The QR code for Time-based one-time passwords (TOTP) just contains some secret info[^iv] for an initialization vector (IV) for the TOTP app.[^androtp] You can dump the IV into another implementation of TOTP. The IV and the current time will predictably create the same rotating value at the same time.
  • Most decent password managers have a place for a TOTP seed. Find the button or link that says "I don't want to use a QR code," and you should be able to take the secret data and enter it somewhere else. If you add it everywhere you need when you first set up TOTP, any of those devices will work as the second factor.
  • [^iv]: It's usually just a secret key, but could also include, say, how often the TOTP should cycle. The default is typically 30 seconds.
  • [^androtp]: It doesn't have to be Google Authenticator. There are fully open-source implementations.
  • The QR code for Time-based one-time passwords (TOTP) just contains some secret info[^iv] to seed the TOTP app.[^androtp] You can dump it into another implementation of TOTP. The seed and the current time will predictably create the same rotating value at the same time.
  • On the website where you're configuring MFA, find the button or link that says "I don't want to use a QR code." You should be able to take the secret data and enter it somewhere else. Most decent password managers have a place for a TOTP seed.
  • If you add it everywhere you need it when you first set up TOTP, any of those devices will work as the second factor. You can confirm that they all show the same value at the same time. Obviously, that seed is *really important* to keep safe. Anyone with that data has your second-factor.
  • [^iv]: It's usually just a secret key, but could also include, say, how often the TOTP should cycle. The default is typically 30 seconds.
  • [^androtp]: It doesn't have to be Google Authenticator. There are fully open-source implementations.
#1: Initial revision by user avatar Michael‭ · 2024-09-12T19:32:04Z (2 months ago)
The QR code for Time-based one-time passwords (TOTP) just contains some secret info[^iv] for an initialization vector (IV) for the TOTP app.[^androtp] You can dump the IV into another implementation of TOTP. The IV and the current time will predictably create the same rotating value at the same time.

Most decent password managers have a place for a TOTP seed. Find the button or link that says "I don't want to use a QR code," and you should be able to take the secret data and enter it somewhere else. If you add it everywhere you need when you first set up TOTP, any of those devices will work as the second factor.

[^iv]: It's usually just a secret key, but could also include, say, how often the TOTP should cycle. The default is typically 30 seconds.
[^androtp]: It doesn't have to be Google Authenticator. There are fully open-source implementations.