google-authenticator VS pyotp

otpauth:// is a de-factor standard, since Google Authenticator uses it: https://github.com/google/google-authenticator/wiki/Key-Uri-...

Random question if you're using TOTP why not just give the user the secret when signing up as a Google Authenticator URI encoded in a QR code? Then you won't need to futz around with sending it to them afterwards. You can even use a library like qrcode.js so you don't generate the barcode server side either.

Locker can generate Time Based OTP codes parsing TOTP urls stored under a special key named totp.

(Examples> https://github.com/google/google-authenticator/wiki/Key-Uri-Format)

If we're talking about the encrypted Authy TOTP secrets and IF they get cracked or guessed, Authy does store the email in the name of the item. Having the name, service and the secret within the QR code's URI is normal and the standard for TOTP. The only thing the hackers won't have is the password.

Can’t you just use a HOPT/TOPT so the user can scan a QR code with e.g google authenticator? Check https://github.com/pyauth/pyotp for more information

F-Droid has a number of apps.

KeePassDX (also on F-Droid) also supports TOTP, as does KeePass 2.0 on desktop, if you're comfortable keeping it with your password manager.

PyOTP contains plenty of information about how to implement an authenticator app.

https://pyauth.github.io/pyotp/

I know/use https://github.com/pyauth/pyotp for some 2FA especially Google.

you can use https://pyauth.github.io/pyotp/ to add TOTP functionality to your login.

I'm trying to access an API that uses the Oauth2 authorization code flow with MFA. I can automate the MFA part with https://github.com/pyauth/pyotp, but the flow also opens a browser instance where it's expected that a user logs in manually. I wish to automate this step so there's no human intervention required.

No I didn't tried it. But we should give the key in base32 right.? https://github.com/pyauth/pyotp