My favorites | Sign in
Project Home Downloads Wiki Issues Source
Search
for
KeyUriFormat  
The format of URIs containing encoded keys
Featured, Phase-Implementation
Updated Mar 29, 2012 by iw...@google.com

Introduction

Secret keys may be encoded in QR codes as a URI with the following format: 

otpauth://TYPE/LABEL?PARAMETERS

Examples

Provision a TOTP key for user "alice@google.com": 

otpauth://totp/alice@google.com?secret=JBSWY3DPEHPK3PXP

This Base32 encoded key "JBSWY3DPEHPK3PXP" has the value: 

byte[] key = { 'H', 'e', 'l', 'l', 'o', '!', (byte) 0xDE, (byte) 0xAD, (byte) 0xBE, (byte) 0xEF };

Types

Valid types are hotp and totp, to distinguish whether the key will be used for counter-based HOTP or for TOTP.

Label

The label is an URI authority used to identify which account a key is associated with. Valid values might include "Alice", "alice@google.com", or "google.com".

Parameters

Secret

REQUIRED: The secret parameter is an arbitrary key value encoded in Base32 according to RFC 3548.

Algorithm

OPTIONAL: The algorithm may have the values:

  • SHA1 (Default)
  • SHA256
  • SHA512
  • MD5

Currently, the algorithm parameter is ignored by the Google Authenticator implementations.

Digits

OPTIONAL: The digits parameter may have the values 6 or 8, and determines how long of a one-time passcode to display to the user. The default is 6.

Currently, the digits parameter is ignored by the Google Authenticator implementations.

Counter

REQUIRED if TYPE is hotp: The counter parameter is required when provisioning a key for use with HOTP. It will set the initial counter value.

Period

OPTION only if TYPE is totp: Defines a period that a TOTP code will be valid for, in seconds. The default value is 30.

Currently, the period parameter is ignored by the Google Authenticator implementations.

Comment by dbradfor...@gmail.com, Apr 12, 2011

I'm not able to set up my google authenticator due to the keys I'm being given ares not working it taking me that the number 8 is illegal or that the keys are to short

Comment by hilitec2...@gmail.com, Apr 21, 2011

Hello,

The Google Authenticator is working with a base32 encoding for the manual typed key, which means a restricted set of characters: A-Z, 2-7 and = for padding.

Enter a multiple of 8 characters (only A-Z, 2-7) as the manual key, and it will work !

In your HOTP/TOTP validator (you can use for example a free LGPL PHP library implementing HOTP and TOTP, called multiOTP), you will have to type in the hexadecimal value of the key, A base32 to hexadecimal converter can be find here.

Comment by jlco...@gmail.com, May 25, 2011

Testing with the iPhone app I found there is a maximum secret length of 16 base32 charactors (10 bytes decoded).

Please document the key length clearly.

Comment by emweb...@gmail.com, Aug 24, 2011

Why is the @ in the label not URL encoded or similar?

Comment by di...@squareup.com, Aug 30, 2011

I cannot add an HOTP account using google authenticator for iOS (but GA for Android works just fine).

Example: http://qrcode.kaywa.com/img.php?s=8&d=otpauth%3A%2F%2Fhotp%2FDiogo%3Fsecret%3DJBSWY3DPEHPK3PXP

Comment by di...@squareup.com, Aug 30, 2011
Comment by dag.erling@gmail.com, Apr 13, 2012

The iOS app seems to handle longer keys just fine now (160 bits = 20 bytes = 32 base32 characters). However, it rejects the URI if there is whitespace at the end (in my case, a newline, from piping the URI from the program that generated it into qrencode). The Android app, on the other hand, doesn't mind whitespace.


Sign in to add a comment
Powered by Google Project Hosting