12

When there are QR codes for one time password (OTPs) urls (starting with otpauth://) that are supposed to be looked up in an authenticator app such as Google authenticator, what happens if a user accidentally open this QR code in a "normal" QR code reader, that tried for example to open the URL in a web browser (and it is passed on to a search engine, which is the case in Android / Chrome, if the browser does not understand the protocol)?

I.e. will this first code be of use after it is activated in the authenticator app, or is it "deprecated" at that point?

SHL
  • 223
  • 1
  • 5
  • From an android development standpoint, I would imagine if you opened a link with that prefix on an android device (QR reader or otherwise), as long as you had an authenticator app that registered that scheme, it would open the authenticator app. I'm not sure, though, without testing it. It really does depend on a number of things. – d0nut Nov 18 '15 at 22:26
  • Yeah, well, we had an occasion when this did not happen, and it appear that the query went out to do a google search instead. Crazy. – SHL Nov 18 '15 at 23:26
  • 2
    if the QR code data / URI gets passed to anything other than your authenticator app, I wouldn't consider it secure. @CBHacking was correct in saying that even if they get a hold of it many years down the line, they would be able to correctly guess your new TOTPs – d0nut Nov 18 '15 at 23:52
  • I think the best option in this case would be enumerating the list of packages(Intents) that can handle that URI and comparing the package names to well known ones to avoid accidental clicks. It's also possible to have a malicious package with the same package name as the indented application but the idea is to have the user intentionally open the URI with the right application. Since the user will have probably installed the application, it would be as easy as telling them to open the URI with "Google Authenticator" or "Authy" if they had them installed, otherwise simply asking them to do so. – TheRealChx101 Aug 09 '19 at 02:04

2 Answers2

14

The QR code remains valid and usable; nothing will make it stop working. This actually makes it very dangerous to leak the QR code. If an attacker sees it, even years after you use it the first time, they can set up their own TOTP (Authenticator) app to use your code, and it will generate the same tokens yours does, which can potentially help the attacker hijack whatever account the TOTP code is protecting. If it's something sensitive, you should generate a new code (this can usually be done by turning 2-factor auth off, and then on again). Then, even if anybody got the old code, it won't do them any good.

CBHacking
  • 40,303
  • 3
  • 74
  • 98
  • Would not the QR initialization code for a time-based one-time password itself have to be time-based? If so, I don't see how leaking it would cause damage any more than leaking one TOTP code would? – Stone True Aug 18 '17 at 14:27
  • 2
    @StoneTrue No, the QR code contains the key that is used to generate the entire future (and past) sequence of TOTP codes (you can think of it as being something like the seed for a random number generator, though it's actually a cryptographic key that is hashed with a counter that increments over time). The QR code *must* contain enough information to generate the entire future range of TOTP codes, or else how could the app possibly generate them without scanning a QR code each time? – CBHacking Aug 18 '17 at 19:32
3

If you attempted to open this link on an android device that had an app registered to the scheme otpauth:// then it would open that application. Only 1 app on your device can register to a particular scheme at a time.

Here's a link to the relevant google authenticator source code.

  <intent-filter>
    <action android:name="android.intent.action.VIEW" />
    <category android:name="android.intent.category.DEFAULT" />
    <category android:name="android.intent.category.BROWSABLE" />
    <data android:scheme="otpauth" />
  </intent-filter>

The line: <data android:scheme="otpauth" /> registers that scheme for all of the listed intent types. If you tried to view this in a browser you should just be directed to this app.

The QR codes are not 1 time use. If anyone else reads the code then they also have access to the "secret" used in the HMACs and can reproduce the codes.

d0nut
  • 876
  • 7
  • 13