QR Code Security & Privacy

2단계 인증용 QR Code (2FA)

<\/script>\n
'; }, get iframeSnippet() { const domain = 'qrcodefyi.com'; const type = 'guide'; const slug = '2fa-qr-codes'; return ''; }, get activeSnippet() { return this.method === 'script' ? this.scriptSnippet : this.iframeSnippet; }, copySnippet() { navigator.clipboard.writeText(this.activeSnippet).then(() => { this.copied = true; setTimeout(() => { this.copied = false; }, 2000); }); } }" @keydown.escape.window="open = false" @click.outside="open = false">

Embed This Widget

Theme


      
    


    
    

      Widget powered by
      .
      Free, no account required.
    

  




  
  
  
TOTP authentication QR codes: otpauth:// URI format, secret key generation, authenticator app compatibility, and security best practices.

  
  

    
  








  
  

    
    
      
      
  1. 
        QR Codes for Two-Factor Authentication (2FA)
      
    2. 
      
      
  2. 
        The otpauth:// URI Format
      
    3. 
      
      
  3. 
        How TOTP Works
      
    4. 
      
      
  4. 
        Authenticator App Compatibility
      
    5. 
      
      
  5. 
        Security Best Practices
      
    6. 
      
      
  6. 
        Key Takeaways
      
    7. 
      
    

  









  
  

  
  

    
    

      
QR Codes for Two-Factor Authentication (2FA)


QR codes are the standard method for setting up Time-based One-Time Password (TOTP) authentication, enabling two-factor authentication across millions of services.


The otpauth:// URI Format


When a service enables 2FA, it generates a QR code encoding:


otpauth://totp/Example:[email protected]?secret=JBSWY3DPEHPK3PXP&issuer=Example&algorithm=SHA1&digits=6&period=30







Parameter
Description
Default






Type
totp (time-based) or hotp (counter-based)
N/A




Label
Issuer:Account format
N/A




secret
Base32-encoded shared secret
Required




issuer
Service name
Recommended




algorithm
Hash algorithm (SHA1, SHA256, SHA512)
SHA1




digits
Code length (6 or 8)
6




period
Code rotation interval in seconds
30






How TOTP Works


    

  1. The service generates a random secret key
    2. 

  2. The secret is shared via QR code (scanned into an authenticator app)
    3. 

  3. Both the server and app independently compute: HMAC(secret, floor(time/30))
    4. 

  4. The 6-digit code matches because both sides use the same secret and time
    5. 

  5. Codes rotate every 30 seconds
    6. 



Authenticator App Compatibility






App
Platform
otpauth:// Support






Google Authenticator
iOS, Android
Full




Microsoft Authenticator
iOS, Android
Full




Authy
iOS, Android, Desktop
Full




1Password
All platforms
Full




Bitwarden
All platforms
Full






Security Best Practices


For services implementing 2FA:
- Generate secrets with a cryptographically secure random number generator
- Use at least 160-bit (20-byte) secrets
- Display the QR code only once during setup — do not store or email it
- Provide backup codes alongside the QR code setup
- Support multiple authenticator apps (do not require a specific one)


For users:
- Never screenshot 2FA QR codes — the secret is embedded in the image
- Use an authenticator app, not SMS-based 2FA when possible
- Store backup codes securely (password manager or printed in a safe)
- Scan the QR code in a private setting (not in public where cameras might capture it)


Key Takeaways


    

  • 2FA QR codes encode the shared TOTP secret in an otpauth:// URI
    • 

  • The secret, issuer, algorithm, and period are all encoded in the QR code
    • 

  • All major authenticator apps support the otpauth:// format
    • 

  • Never screenshot or share 2FA QR codes — they contain the secret key
    • 

  • Services should generate cryptographically strong 160-bit+ secrets
    •