Display human readable secret when setting up 2 factor auth

When setting up two factor authentication, would it be possible to have it display the actual TOTP secret in readable form as well as the QR code? I have two factor auth enabled on my account, and I want to set up a separate login for my accountant, but I’m not sure whether he has a phone that will run Google Authenticator.

However, the TOTP scheme that Google Authenticator implements is an open standard, and there are alternative implementations of the same algorithm including http://gauth.apps.gbraad.nl (an offline HTML5 application that runs in any browser, storing your secrets in LocalStorage). I tested this successfully by extracting the 16 character secret from the QuickFile generated QR code using a QR reader app, but obviously that’s not much use if the problem is that you don’t have a smartphone capable of scanning QR codes in the first place…

Would you consider displaying the secret on the registration page in plain text alongside the QR code, or maybe as a popup “I can’t scan the code” option. This would be useful for people using non-Google TOTP apps, but also people with the Google app but a faulty camera as the app offers the option to type in the secret manually if you can’t scan the QR code.

(P.S. I’d suggest Affinity but given he hadn’t heard of QuickFile before I mentioned it I don’t think he has any other clients who use it - maybe once he’s seen my setup he might suggest it to other people :wink: )

I’ve logged this one for review. We’ve got a quite a lot of other commitments on at the moment but we’ll definitely take a closer look at the spec.

We now display the human readable key when setting up your 2-Factor authentication.

I must confess I haven’t tested this myself but I see it’s recently gone live. Any feedback welcome!

1 Like