A Rust CLI to more safely generate a QR code from a 32-character TOTP secret key. Can also read QR codes from image files. This is an updated version of my QR Encoder.
The problem this tries to solve
You've got a TOTP secret key (say for 2-factor authentication). Rather than have to manually enter all 32 characters into a mobile app like Google Authenticator, we'd like to generate a QR code of this secret key.
The problem with using an existing CLI like
qrencode is that your secret key will be stored in your bash_history and elsewhere. Plus, it generates an image file, which you'll have to delete securely.
What is does to try to solve this problem
This Rust script attempts to solve that by using rpassword to take in the secret key, then using qrcode-rust to display the generated QR code right in the terminal, rather than create an image file. This displayed QR code is high-quality enough for my iPhone to pick up accurately, and there's no generated image file to worry about.
But is it actually secure?
Honestly, I'm not sure. But I figure it's better than
qrencode -s 10 -o generated_twitter_qr_code.png 'otpauth://totp/Twitter:@sts10?secret=hereismysecret&issuer=Twitter'
Know that KeePassXC version 2.4.0 and above can generate TOTP QR codes (see FAQ and relevant pull request) and more. If you can, I'd recommend using KeePassXC and not this script for managing your TOTP keys and QR codes.
- Install Rust if you haven't already
cargo install --git https://github.com/sts10/qr-forge
Alternatively: Clone repo,
cd into repo directory, and run
cargo install --path=.
USAGE: qrforge [FLAGS] [OPTIONS] FLAGS: -e, --encode Encode QR code from text secret, service and username -h, --help Prints help information -V, --version Prints version information OPTIONS: -d, --decode <qr_image_file> Decode a QR code image file to an OTPauth URI
- To encode a secret and create a QR code, run
- To decode a secret from an existing QR code image, run
Before I wrote this code, I wrote a blog post that might help you understand the problems I'm interested in here.
- Add ability to generate a few 6-digit codes, allowing users to confirm everything went right. See this function for clues on how to do this.
- Make this a real CLI using structopt or Clap
- Big refactor of the reading image code