iainrough

Posted on May 11, 2021

Decode TOTP(Time-based One-time Password) QR Code

#totp #security #qrcode

How not to do this.

DO NOT USE AN ONLINE SERVICE

While an online service such as https://webqr.com/ or https://www.qrstuff.com/scan are fine for normal QR codes they should never be used for TOTP QR Codes.

What inside the QR CODE

A TOTP QR code contains the following details (all values are placeholders).


     Hex secret: 3132333435363738393031323334353637383930
     Base32 secret: GEZDGNBVGY3TQOJQGEZDGNBVGY3TQOJQ
     Digits: 8
     Window size: 0
     TOTP mode: SHA1
     Step size (seconds): 30
     Start time: 1970-01-01 00:00:00 UTC (0)
     Time now: 2033-05-18 03:33:20 UTC (2000000000)
     Counter: 0x3F940AA (66666666)

Information from: oathtool

For more information visit oathtool

Decode QR code locally

Install

Mac


 install zbar

Windows(WSL), Linux


 apt-get install zbarimg

Example



/mnt/c/Users/rough$ zbarimg /mnt/c/tmp/a.png
otpauth://totp/hub.docker.com:{username}?algorithm=SHA1&digits=6&issuer=hub.docker.com&period=30&secret={Key}

You can now store the OTPAUTH URI in your favorite password manager or add the {Key} so that your password manager can generate the TOPT code.

How to add your TOPT key to LastPass

Top comments (1)

David Paine • Sep 28 '21

How about the following online QR code scanner
dnschecker.org/qr-code-scanner.php
What your reviews about that? Should it help it out in case of TOTP QR Codes?

DEV Community

Decode TOTP(Time-based One-time Password) QR Code

How not to do this.

What inside the QR CODE

Decode QR code locally

Install

Mac

Windows(WSL), Linux

Example

Top comments (1)

Read next

Optimizing Keycloak Caches: Best Practices for Embedded and External Infinispan

Securely Connecting Azure Container Apps to Azure OpenAI Using User Managed Identity

Securing APIs with YARP: Authentication and Authorization in .NET 8 Minimal APIs

🛡️ Effective Vulnerability Monitoring in Kubernetes