Skip to content
A Rust CLI to more safely handle QR codes and 32-character TOTP secret keys
Branch: master
Clone or download
Latest commit 1a99219 Jul 15, 2019

README.markdown

QR Forge

A Rust CLI to more safely generate a QR code from a 32-character TOTP secret key. Can also read QR codes from image files. This is an updated version of my QR Encoder.

The problem this tries to solve

You've got a TOTP secret key (say for 2-factor authentication). Rather than have to manually enter all 32 characters into a mobile app like Google Authenticator, we'd like to generate a QR code of this secret key.

The problem with using an existing CLI like qrencode is that your secret key will be stored in your bash_history and elsewhere. Plus, it generates an image file, which you'll have to delete securely.

What is does to try to solve this problem

This Rust script attempts to solve that by using rpassword to take in the secret key, then using qrcode-rust to display the generated QR code right in the terminal, rather than create an image file. This displayed QR code is high-quality enough for my iPhone to pick up accurately, and there's no generated image file to worry about.

But is it actually secure?

Honestly, I'm not sure. But I figure it's better than qrencode -s 10 -o generated_twitter_qr_code.png 'otpauth://totp/Twitter:@sts10?secret=hereismysecret&issuer=Twitter'

Other solutions

Know that KeePassXC version 2.4.0 and above can generate TOTP QR codes (see FAQ and relevant pull request) and more. If you can, I'd recommend using KeePassXC and not this script for managing your TOTP keys and QR codes.

Installation/Setup

  1. Install Rust if you haven't already
  2. cargo install --git https://github.com/sts10/qr-forge

Alternatively: Clone repo, cd into repo directory, and run cargo install --path=.

Usage

USAGE:
    qrforge [FLAGS] [OPTIONS]

FLAGS:
    -e, --encode     Encode QR code from text secret, service and username
    -h, --help       Prints help information
    -V, --version    Prints version information

OPTIONS:
    -d, --decode <qr_image_file>    Decode a QR code image file to an OTPauth URI

Basically...

  • To encode a secret and create a QR code, run qrforge -e
  • To decode a secret from an existing QR code image, run qrforge -d=<qr_code_image_file_path.png>

Demo

Notes

Here are the official-ish specs of the otpauth URI from Google.

Before I wrote this code, I wrote a blog post that might help you understand the problems I'm interested in here.

To Do

  • Add ability to generate a few 6-digit codes, allowing users to confirm everything went right. See this function for clues on how to do this.
  • Make this a real CLI using structopt or Clap
  • Big refactor of the reading image code
You can’t perform that action at this time.