Ian Bailey Posted August 20 Posted August 20 Hi All Hopefully an admin/developer will see this post. The forums have the ability to setup One Time Pass 2 factor authentication via the Google Authenticator option - which is great! However, when you have many accounts in your Authenticator app, with the same email address against them. When you scan the QR code it overrides existing accounts in your Authenticator App. I am using the Microsoft Authenticator App, as this is my preference. I have written an app myself which generates otpauth:// addresses for QR codes which doesn't have this problem. I have noticed in your code you have the following line: system/MFA/GoogleAuthenticator/Handler.php $data = "otpauth://totp/{$member->email}?secret={$secret}&issuer=" . rawurlencode( \IPS\Settings::i()->board_name ); If you change this line to : $data = "otpauth://totp/" . rawurlencode( \IPS\Settings::i()->board_name ). ":{$member->email}?secret={$secret}&issuer=" . rawurlencode( \IPS\Settings::i()->board_name ); You don't get this problem at it all works perfectly. We have similar code in our project: otpauth://totp/{1}:{0}?secret={2}&issuer={1} 0=username, 1=issuer, 2=secret I have changed this line on my own installation, however this will get overwritten when we next update which is not ideal to maintain. Is this something you guys could look at changing Thanks in advance teraßyte 1
Stuart Silvester Posted August 20 Posted August 20 Interesting, I would think this is more of a deficiency in the Microsoft app, I can see the same behaviour but the Google Auth app is using the issuer value as a prefix. I would expect Google Authenticator to show the name of the site twice if we added our own prefix. We would need to test that though.
Ian Bailey Posted August 22 Author Posted August 22 Hi Stuart Thanks for your reply. It may well be a deficiency in the MS app, but possibly others!? Building the otpauth url like the above does improves support for all the apps out there. Do you know if this is something that could be changed for another release? On a side note, it would be great if it was all labelled OTP and more generic rather than google authenticator. This method of MFA is great and not limited to google. Some customisation on the instructions and prompts could be great too. Mostly this screen for the end users.
Recommended Posts