Account name in MS Authenticator about twofactorauth HOT 18 CLOSED

You can solve this by using the following format in the first parameter of your QR code generator; 'MyApp:UserEmail', e.g.
$tfa->getQRCodeImageAsDataUri('Example App:[email protected]', $secret);

from twofactorauth.

When I scan the QR code from the demo MS Authenticator shows issuer just fine? Does the demo work for you?

!

from twofactorauth.

Thanks for your reply.

From the image below, the bottom bit uses your demo without changes. The one above when I change the text "Demo" to an email address on the QR code generator.

from twofactorauth.

Then I guess that's something MS Authenticator does.

Try replacing the @ with something like [at] or - or _@ where _ is a space for test purposes. If that worked you can try escaping the @ to something like %40. But I'm 99.99% sure other authenticators will then show it incorrectly.

from twofactorauth.

Yes it seems the @ symbol is the one triggering this behaviour in MS authenticator.

Only strange thing is I have other accounts on my MS authenticator with both the account name and email address showing correctly.

from twofactorauth.

Then have a look at the QR codes you used for those accounts and spot the difference. Did you try my replace/escape suggestions?

from twofactorauth.

Yes I tried those and it works to display the account name although the email address will be displayed as it is (i.e. demo%40outlook.com, demo[at]outlook.com).

from twofactorauth.

I'm sorry, but it seems to me that this is an MS Authenticator issue?

from twofactorauth.

On the other hand, Google Authenticator works fine with this.

yeah I think its down to individual OTP clients, if there is one secret you have that works perfectly and you can send us the secret otpauth:// URL (redacted of course) we can probably figure it out but otherwise I don't think there is much that can be done

from twofactorauth.

On the other hand, Google Authenticator works fine with this.

yeah I think its down to individual OTP clients, if there is one secret you have that works perfectly and you can send us the secret otpauth:// URL (redacted of course) we can probably figure it out but otherwise I don't think there is much that can be done

Here's the URL, hope this is what you need?
otpauth://totp/user%40email.com?secret=NRF33J4DOV7UENM6&issuer=My%20App&period=30&algorithm=SHA1&digits=6

from twofactorauth.

only if that one displays correctly in MS Authenticator?

from twofactorauth.

This one does --
otpauth://totp/demo%5Bat%5Doutlook.com?secret=7TOJE6Q7VDULS74T&issuer=RobThree%20TwoFactorAuth&period=30&algorithm=SHA1&digits=6

But please note that I have to replace the @ sign with [at] in order for the account name (RobThree TwoFactorAuth) to show on the MS authenticator.

from twofactorauth.

I'm afraid there's not much we can do in this matter.

from twofactorauth.

Interesting, I was not aware this is part of the spec apparently

https://docs.yubico.com/yesdk/users-manual/application-oath/uri-string-format.html
https://github.com/google/google-authenticator/wiki/Key-Uri-Format

Presumably there is nothing stopping you from passing name:email as the label when calling for the QR code, it would be a little dramatic to support an extra parameter without breaking backwards compatibility but I'll have a mess around at some point as I need to redo my implementation anyway.

from twofactorauth.

Hi Rob

Your 2FA is great. I also had problems to display the issuer. While analyzing your code of the TwoFactorAuth class I came across this link. I think the order of your values at Line 158 till 159 are not correct. If I rewrote them as follows and the issuer is shown in all 2FA apps tested (2FAS Auth, FreeOTP).

Your code is

Code should be acc my opinion
return 'otpauth://totp/' . rawurlencode((string)$this->issuer) . ':' . rawurlencode($label)
. '?secret=' . rawurlencode($secret)
. '&issuer=' . rawurlencode((string)$this->issuer)
. '&period=' . $this->period
. '&algorithm=' . rawurlencode(strtoupper($this->algorithm->value))
. '&digits=' . $this->digits;

from twofactorauth.

What you're proposing isn't (just) order, it changes the issuer argument to something with a colon-separator. And that's not how it is shown in the page you linked:

otpauth://totp/ACME%20Co:[email protected]?secret=HXDMVJECJJWSRB3HWIZR4IFUGFTMXBOZ&issuer=ACME%20Co&algorithm=SHA1&digits=6&period=30

However, it is explained in the label section to provide the issuer argument as well as in the label. So then you could just add the issuer to the $label argument in the getQRCodeImageAsDataUri() call. We COULD auto-prefix the label with the $issuer (which comes from a constructor argument) but then we would need to add a little code to 'detect' wether the $label argument already contains an issuer or not (and if it does - what to do: ignore the issuer from the $label argument and use the given $issuer OR risk a different &issuer=... and issuer from $label value in the TOTP uri...).

Also if order would matter then the whole 'key=value' would be pointlessless; if order actually matters for a client then the client is not... 'very smart'.

from twofactorauth.

Can we close this issue? This would bring the total number of open issues to 0 🎉 !

from twofactorauth.

You do the honors, you've worked hard enough for it 😉

from twofactorauth.