Welcome to the Power Users community on Codidact!
Power Users is a Q&A site for questions about the usage of computer software and hardware. We are still a small site and would like to grow, so please consider joining our community. We are looking forward to your questions and answers; they are the building blocks of a repository of knowledge we are building together.
Post History
The QR code for Time-based one-time passwords (TOTP) just contains some secret info[1] to seed the TOTP app.[2] You can dump it into another implementation of TOTP. The seed and the current time wi...
Answer
#2: Post edited
by
Michael
·
2024-09-12T20:03:33Z (about 1 month ago)
Rearrange. Add a caution.
The QR code for Time-based one-time passwords (TOTP) just contains some secret info[^iv] for an initialization vector (IV) for the TOTP app.[^androtp] You can dump the IV into another implementation of TOTP. The IV and the current time will predictably create the same rotating value at the same time.Most decent password managers have a place for a TOTP seed. Find the button or link that says "I don't want to use a QR code," and you should be able to take the secret data and enter it somewhere else. If you add it everywhere you need when you first set up TOTP, any of those devices will work as the second factor.- [^iv]: It's usually just a secret key, but could also include, say, how often the TOTP should cycle. The default is typically 30 seconds.
- [^androtp]: It doesn't have to be Google Authenticator. There are fully open-source implementations.
- The QR code for Time-based one-time passwords (TOTP) just contains some secret info[^iv] to seed the TOTP app.[^androtp] You can dump it into another implementation of TOTP. The seed and the current time will predictably create the same rotating value at the same time.
- On the website where you're configuring MFA, find the button or link that says "I don't want to use a QR code." You should be able to take the secret data and enter it somewhere else. Most decent password managers have a place for a TOTP seed.
- If you add it everywhere you need it when you first set up TOTP, any of those devices will work as the second factor. You can confirm that they all show the same value at the same time. Obviously, that seed is *really important* to keep safe. Anyone with that data has your second-factor.
- [^iv]: It's usually just a secret key, but could also include, say, how often the TOTP should cycle. The default is typically 30 seconds.
- [^androtp]: It doesn't have to be Google Authenticator. There are fully open-source implementations.
#1: Initial revision
by
Michael
·
2024-09-12T19:32:04Z (about 1 month ago)
The QR code for Time-based one-time passwords (TOTP) just contains some secret info[^iv] for an initialization vector (IV) for the TOTP app.[^androtp] You can dump the IV into another implementation of TOTP. The IV and the current time will predictably create the same rotating value at the same time. Most decent password managers have a place for a TOTP seed. Find the button or link that says "I don't want to use a QR code," and you should be able to take the secret data and enter it somewhere else. If you add it everywhere you need when you first set up TOTP, any of those devices will work as the second factor. [^iv]: It's usually just a secret key, but could also include, say, how often the TOTP should cycle. The default is typically 30 seconds. [^androtp]: It doesn't have to be Google Authenticator. There are fully open-source implementations.