Generate a QR Code to Recover Your OTP Secret
Bitcoin.de as some other pages is using a One-Time-Pad (OTP) as two-factor authentication method, actually it is a Time-based One-Time Password algorithm (TOTP). The Passwords are generated based on a shared secret as specified in RFC6238. When activating the two-factor authentication on bitcoin.de the page shows a QR code which is used by OTP apps, such as andOTP (github), Google Authenticator, or OTP Authenticator (github), to transfer the shared secret to the phone. Additionally the page shows the shared secret as a string of letters and numbers, which one should write down and deposit in a safe place.
But what happens, if due to some circumstances you have to bring this shared secret back into the app? The google app provides the possibility to manually enter the string of letters and numbers, but the other two apps don’t. Thus it is necessary to generate a QR code which encodes the shared secret. Unfortunately I didn’t find a comprehensive guide how to do this but I found some pieces, which I had to put together. The first pieces was in the LinOTP documentation which told me that the QR code actually just encodes a URI, but the example was not TOTP. After some more web search I found a python script, which generates all sorts of OATH URIs. Now I know, that the syntax of the URI actually is:
otpauth://totp/<name>?secret=<secret>
As we know already we can use qrencode to generate QR codes (see also this post about WiFi access QR-codes):
qrencode -o code.png -t png "otpauth://totp/<name>?secret=<secret>"
Now just open code.png with an image viewer on your PC and scan the code with your phone.
Some more stuff which I found during my web search:
- https://blogs.forgerock.org/petermajor/2014/02/one-time-passwords-hotp-and-totp/
- http://www.nongnu.org/oath-toolkit/