Account name in MS Authenticator

[ubay25]

Firstly, thanks for this library, very useful and easy to use.

When I initialize the class and specify a name ( i.e. $tfa = new TwoFactorAuth('My App'); ) MS Authenticator doesn't seem to apply this and uses the domain name of the email address as the account name on its authenticator app.

On the other hand, Google Authenticator works fine with this.

Any ideas?

[RobThree]

When I scan the QR code from the demo MS Authenticator shows issuer just fine? Does the demo work for you?

!

[ubay25]

Thanks for your reply.

From the image below, the bottom bit uses your demo without changes. The one above when I change the text "Demo" to an email address on the QR code generator.

[RobThree]

Then I guess that's something MS Authenticator does.

Try replacing the @ with something like [at] or - or _@ where _ is a space for test purposes. If that worked you can try escaping the @ to something like %40. But I'm 99.99% sure other authenticators will then show it incorrectly.

[ubay25]

Yes it seems the @ symbol is the one triggering this behaviour in MS authenticator.

Only strange thing is I have other accounts on my MS authenticator with both the account name and email address showing correctly.

[RobThree]

Then have a look at the QR codes you used for those accounts and spot the difference. Did you try my replace/escape suggestions?

[ubay25]

Yes I tried those and it works to display the account name although the email address will be displayed as it is (i.e. demo%40outlook.com, demo[at]outlook.com).

[RobThree]

I'm sorry, but it seems to me that this is an MS Authenticator issue?

[willpower232]

On the other hand, Google Authenticator works fine with this.

yeah I think its down to individual OTP clients, if there is one secret you have that works perfectly and you can send us the secret otpauth:// URL (redacted of course) we can probably figure it out but otherwise I don't think there is much that can be done

[ubay25]

On the other hand, Google Authenticator works fine with this.

yeah I think its down to individual OTP clients, if there is one secret you have that works perfectly and you can send us the secret otpauth:// URL (redacted of course) we can probably figure it out but otherwise I don't think there is much that can be done

Here's the URL, hope this is what you need?
otpauth://totp/user%40email.com?secret=NRF33J4DOV7UENM6&issuer=My%20App&period=30&algorithm=SHA1&digits=6

[willpower232]

only if that one displays correctly in MS Authenticator?

[ubay25]

This one does --
otpauth://totp/demo%5Bat%5Doutlook.com?secret=7TOJE6Q7VDULS74T&issuer=RobThree%20TwoFactorAuth&period=30&algorithm=SHA1&digits=6

But please note that I have to replace the @ sign with [at] in order for the account name (RobThree TwoFactorAuth) to show on the MS authenticator.

[RobThree]

I'm afraid there's not much we can do in this matter.

[greyrockinnovations]

You can solve this by using the following format in the first parameter of your QR code generator; 'MyApp:UserEmail', e.g.
$tfa->getQRCodeImageAsDataUri('Example App:user@example.com', $secret);

[willpower232]

Interesting, I was not aware this is part of the spec apparently

https://docs.yubico.com/yesdk/users-manual/application-oath/uri-string-format.html
https://github.com/google/google-authenticator/wiki/Key-Uri-Format

Presumably there is nothing stopping you from passing name:email as the label when calling for the QR code, it would be a little dramatic to support an extra parameter without breaking backwards compatibility but I'll have a mess around at some point as I need to redo my implementation anyway.

[JakobBernoulli]

Hi Rob

Your 2FA is great. I also had problems to display the issuer. While analyzing your code of the TwoFactorAuth class I came across this link. I think the order of your values at Line 158 till 159 are not correct. If I rewrote them as follows and the issuer is shown in all 2FA apps tested (2FAS Auth, FreeOTP).

Your code is

TwoFactorAuth/lib/TwoFactorAuth.php

Lines 157 to 162 in 098dce6

	return 'otpauth://totp/' . rawurlencode($label)
	. '?secret=' . rawurlencode($secret)
	. '&issuer=' . rawurlencode((string)$this->issuer)
	. '&period=' . intval($this->period)
	. '&algorithm=' . rawurlencode(strtoupper($this->algorithm->value))
	. '&digits=' . intval($this->digits);

Code should be acc my opinion
return 'otpauth://totp/' . rawurlencode((string)$this->issuer) . ':' . rawurlencode($label)
. '?secret=' . rawurlencode($secret)
. '&issuer=' . rawurlencode((string)$this->issuer)
. '&period=' . $this->period
. '&algorithm=' . rawurlencode(strtoupper($this->algorithm->value))
. '&digits=' . $this->digits;

[RobThree]

What you're proposing isn't (just) order, it changes the issuer argument to something with a colon-separator. And that's not how it is shown in the page you linked:

otpauth://totp/ACME%20Co:john.doe@email.com?secret=HXDMVJECJJWSRB3HWIZR4IFUGFTMXBOZ&issuer=ACME%20Co&algorithm=SHA1&digits=6&period=30

However, it is explained in the label section to provide the issuer argument as well as in the label. So then you could just add the issuer to the $label argument in the getQRCodeImageAsDataUri() call. We COULD auto-prefix the label with the $issuer (which comes from a constructor argument) but then we would need to add a little code to 'detect' wether the $label argument already contains an issuer or not (and if it does - what to do: ignore the issuer from the $label argument and use the given $issuer OR risk a different &issuer=... and issuer from $label value in the TOTP uri...).

Also if order would matter then the whole 'key=value' would be pointlessless; if order actually matters for a client then the client is not... 'very smart'.

[NicolasCARPi]

Can we close this issue? This would bring the total number of open issues to 0 🎉 !

[RobThree]

You do the honors, you've worked hard enough for it 😉