DEV Community

Cover image for Decode TOTP(Time-based One-time Password) QR Code
iainrough
iainrough

Posted on

Decode TOTP(Time-based One-time Password) QR Code

#totp #security #qrcode

How not to do this.

Trulli


DO NOT USE AN ONLINE SERVICE

While an online service such as https://webqr.com/ or https://www.qrstuff.com/scan are fine for normal QR codes they should never be used for TOTP QR Codes.

What inside the QR CODE

A TOTP QR code contains the following details (all values are placeholders).

 Hex secret: 3132333435363738393031323334353637383930 Base32 secret: GEZDGNBVGY3TQOJQGEZDGNBVGY3TQOJQ Digits: 8 Window size: 0 TOTP mode: SHA1 Step size (seconds): 30 Start time: 1970-01-01 00:00:00 UTC (0) Time now: 2033-05-18 03:33:20 UTC (2000000000) Counter: 0x3F940AA (66666666)

Information from: oathtool

For more information visit oathtool

Decode QR code locally

Install

Mac 

 install zbar
Enter fullscreen mode Exit fullscreen mode

Windows(WSL), Linux 

 apt-get install zbarimg
Enter fullscreen mode Exit fullscreen mode

Example 

 /mnt/c/Users/rough$ zbarimg /mnt/c/tmp/a.png otpauth://totp/hub.docker.com:{username}?algorithm=SHA1&digits=6&issuer=hub.docker.com&period=30&secret={Key}
Enter fullscreen mode Exit fullscreen mode

You can now store the OTPAUTH URI in your favorite password manager or add the {Key} so that your password manager can generate the TOPT code.

image

How to add your TOPT key to LastPass

Top comments (1)

Collapse
 
davidpaine profile image
David Paine

How about the following online QR code scanner
dnschecker.org/qr-code-scanner.php
What your reviews about that? Should it help it out in case of TOTP QR Codes?