Google-authenticator Alternatives

google-authenticator reviews and mentions

• TOTP Key URI Format
  1 project | news.ycombinator.com | 24 Apr 2025
• Behind the 6-digit code: Building HOTP and TOTP from scratch
  5 projects | news.ycombinator.com | 14 Apr 2025

  Six-digit verification codes for something like a "forgot password" flow are OTPs -- they're only good for one login -- but they are not HOTP/TOTPs. HOTP/TOTP has a registration step, where you copy a server-generated secret to your phone through a QR-code-encoded otpauth:// URI (https://github.com/google/google-authenticator/wiki/Key-Uri-...). That doesn't happen in a "forgot password" flow.

  Incidentally, if you think of TOTP as being HMAC(unix mod 30, secret), one idea would be to do public key crypto instead of symmetric HMAC stuff. That's basically what a security key is.

  If you additionally made it so that you couldn't phish the security key -- by having the OS + web browser know which apps can ask for which security keys -- you'd have reinvented WebAuthn.

  P.S.: Make you sure you have stuffing protection in place against these kinds of six-digit-code auth schemes. A million possibilities is often acceptable for a secondary factor, but it's useless if attackers can just try all million codes.

• GitHub will disable non-2FA accounts?
  1 project | news.ycombinator.com | 15 Aug 2023

  otpauth:// is a de-factor standard, since Google Authenticator uses it: https://github.com/google/google-authenticator/wiki/Key-Uri-...

• Creating 2fa with pyotp
  1 project | /r/flask | 4 May 2023

  Random question if you're using TOTP why not just give the user the secret when signing up as a Google Authenticator URI encoded in a QR code? Then you won't need to futz around with sending it to them afterwards. You can even use a library like qrcode.js so you don't generate the barcode server side either.

• why are all the totp secrets different styles?
  1 project | /r/Bitwarden | 10 Apr 2023
• Locker: Store secrets on your local file system.
  3 projects | /r/commandline | 16 Mar 2023

  Locker can generate Time Based OTP codes parsing TOTP urls stored under a special key named totp.

• Does changing an email that has TOTP setup affect the "secret"?
  1 project | /r/Bitwarden | 27 Feb 2023

  (Examples> https://github.com/google/google-authenticator/wiki/Key-Uri-Format)

• Google Authenticator open source fork archived
  1 project | news.ycombinator.com | 6 Jan 2023
• TOTP tokens on my wrist with the smartest dumb watch
  18 projects | news.ycombinator.com | 18 Oct 2022
• LastPass gehackt, Nutzerdaten aber anscheinend sicher
  4 projects | /r/de_EDV | 26 Aug 2022
• A note from our sponsor - SaaSHub
  www.saashub.com | 12 May 2025

  SaaSHub helps you find the best software and product alternatives Learn more →