two-factor-auth icon indicating copy to clipboard operation
two-factor-auth copied to clipboard
verified publisher icon j256

Fix url-encoding in generateOtpAuthUrl and support UTF-8 key ids

Open andi5 opened this issue 5 years ago • 3 comments

When using generateOtpAuthUrl(), the contents are already url-encoded as that would fit for the chl query parameter of the qrImageUrl(). This way the plain URL is not usable, though.

As a side note, is it really a good idea to offer sharing secrets with google so easily? The user of the library should strive for high security, right?

andi5 avatar Mar 29 '21 10:03 andi5

Thanks for the feedback @andi5 . Do you have any recommendations on other ways to get the QR code? Maybe publish a list of QR code generator websites?

j256 avatar Sep 14 '21 19:09 j256

I suppose you could have an optional dependency on a library that is able to create qr codes. I would argue that the secret should not leave a "trusted domain" other than as encoded in a QR code that is to be consumed by a user. It should not go to Google or any other website that generates QR codes. At least this part should be documented clearly.

andi5 avatar Sep 15 '21 18:09 andi5

RIght now the javadocs say: Return the QR image url thanks to Google.

That's not enough?

https://github.com/j256/two-factor-auth/blob/master/src/main/java/com/j256/twofactorauth/TimeBasedOneTimePasswordUtil.java#L445

j256 avatar Sep 15 '21 19:09 j256