0

I am currently using 2-factor authentication to tighten security for my login system. I use Google Authenticator to scan a QR Code, which generates a key which I can use to login.

What worries me with my implementation is the way I create my QR Code in PHP using this API:

'https://chart.googleapis.com/chart?chs='.$width.'x'.$height.'&chld='.$level.'|0&cht=qr&chl='.$url_containing_secret.''

Using the maps API seems a bit unsafe since I'm basically sharing my secret through HTTP. Isn't this actually risky? I'm seriously considering creating the QR code using some library instead of an external API.

Am I too paranoid?

schroeder
  • 123,438
  • 55
  • 284
  • 319
Asperger
  • 135
  • 3

2 Answers2

1

I would not be that paranoid but yes, why should somebody know you have generated some access tokens for whatever purposes...

Why you can't use your own generator? It is not something secret. There are tons of implementations on the internet for various languages...

Here is javascript implemenation:

Example: https://stefansundin.github.io/2fa-qr/

Sources: https://github.com/stefansundin/2fa-qr/blob/gh-pages/index.html

Here is one in PHP: https://github.com/chuyskywalker/google-authenticator-qrcode

Fis
  • 1,200
  • 7
  • 10
1

I would not call it paranoid to not let google create your QR code. It is simply normal security care taking.

The URI in the QR code contains the secret key in plain text. In contains a label, which might give some indication on the user name. And there is the source IP of the request. Voilá, the evil attacker has all it needs. And the problematic thing with TOTP is, that you will never know, that an attacker has actually a copy of your 2nd factor.

Here is a more detailed read.

So you should definitively go with @Fis hints to generate the QR code yourself. You can also generate the QR Code server side and and pass it as a base64 encoded data image URL to the browser.

cornelinux
  • 1,993
  • 8
  • 11