When configuring TOTP logins for users, the otpauth:// URI encoded in the displayed QR code is incorrectly URI encoding the payload data causing software TOTP token applications to generate the wrong tokens.
- QR code image
- Account: someuser%40C020053HBCDGM1A
- Secret (HEX): [...]
- Secret (BASE32): PQYV3KY5D374GGKAKC3CSHBXHZ======
The ====== in this example is incorrectly being URI encoded and presented as %3D%3D%3D%3D%3D%3D.
Here is an example of the output read from the QR code image:
- otpauth://totp/someuser%40C020053HBCDGM1A?secret=PQYV3KY5D374GGKAKC3CSHBXHZ%3D%3D%3D%3D%3D%3D&issuer=Sophos%20SFOS&period=30
which should actually be:
- otpauth://totp/someuser%40C020053HBCDGM1A?secret=PQYV3KY5D374GGKAKC3CSHBXHZ======&issuer=Sophos%20SFOS&period=30
Either manually entering the (BASE32) secret into the token generator or editing the otpauth:// URI after scanning resolves this issue.
The behaviour above affected both Authy and 1Password, but will likely affect all QR code reading authenticator applications.
This thread was automatically locked due to age.