google-authenticator VS Sensor-Watch

otpauth:// is a de-factor standard, since Google Authenticator uses it: https://github.com/google/google-authenticator/wiki/Key-Uri-...

Random question if you're using TOTP why not just give the user the secret when signing up as a Google Authenticator URI encoded in a QR code? Then you won't need to futz around with sending it to them afterwards. You can even use a library like qrcode.js so you don't generate the barcode server side either.

Locker can generate Time Based OTP codes parsing TOTP urls stored under a special key named totp.

(Examples> https://github.com/google/google-authenticator/wiki/Key-Uri-Format)

If we're talking about the encrypted Authy TOTP secrets and IF they get cracked or guessed, Authy does store the email in the name of the item. Having the name, service and the secret within the QR code's URI is normal and the standard for TOTP. The only thing the hackers won't have is the password.

maybe you're thinking of sensor watch ? it's beat watch face seems to be set to whatever timezone you configure which defaults to UTC :

https://github.com/joeycastillo/Sensor-Watch/blob/main/movem...

Joey Castillo’s Sensor Watch project seems to be the only example in this no man’s land. Over 365 days on a single coin cell battery so far.

https://github.com/joeycastillo/Sensor-Watch

Sensorwatch has a watch face with iso8601 weeknumber (which I did)

https://github.com/joeycastillo/Sensor-Watch/blob/main/movem...

I don't know much about communities using the original hardware, but the people over at Oddly Specific Objects created new hardware that goes into the f91w. You could probably ask over there.

If you're a bit weirded out by the website secret pasting, I made a PR which lets the sensor watch load TOTP secrets from an Aegis export (essentially just a bunch of TOTP URIs):

https://github.com/joeycastillo/Sensor-Watch/pull/95

This is the reason I bought the board. It makes me happy not having to use my phone for this.