0

When setting up 2FA with Authy most websites give you a QR code to scan.

Would it be correct to say that you should treat this QR code securely? If this code or a picture of it was leaked there is nothing to stop someone else setting up 2FA on another device without you knowing, is there?

schroeder
  • 125,553
  • 55
  • 289
  • 326
Woodstock
  • 689
  • 6
  • 20
  • I don't think this applies specifically to the QR tag, that's just the vector for the setup data, so on Google Authenticator you can scan a QR or manually set up a 2FA with a key and setting time/counter based tokens. It is the token itself you should treat as secret whether in text or encoded into QR. – iainpb Mar 02 '17 at 12:33

1 Answers1

2

You absolutely need to consider the QR code a secret.

For 2FA (i.e. TOTP), the QR code has a shared secret embedded, which is basically what makes TOTP work (see https://www.rfc-editor.org/rfc/rfc4226).

OTP (both HOTP and TOTP) basically rely on HMAC, and the shared secret is used as the HMAC key.

The difference between the two OTP types is pretty much what is getting HMAC'ed - for TOTP, a timestamp, and for HOTP, a counter.

Community
  • 1
iwaseatenbyagrue
  • 3,631
  • 1
  • 13
  • 24