starred/google2fa

Fork 0

mirror of https://github.com/antonioribeiro/google2fa.git synced 2026-04-27 00:55:49 +03:00

[GH-ISSUE #40] Using a bigger key results in "Invalid barcode" #16

New issue

Closed

opened 2026-02-25 20:32:11 +03:00 by kerem · 7 comments

kerem commented

2026-02-25 20:32:11 +03:00

Owner

Originally created by @rdev5 on GitHub (Jul 26, 2016).
Original GitHub issue: https://github.com/antonioribeiro/google2fa/issues/40

FYI: https://github.com/antonioribeiro/google2fa#use-a-bigger-key

Setting a 32-byte key (with prefix) results in an Invalid barcode error in the Google Authenticator app whereas 16-byte key seems to work fine.

Originally created by @rdev5 on GitHub (Jul 26, 2016). Original GitHub issue: https://github.com/antonioribeiro/google2fa/issues/40 FYI: https://github.com/antonioribeiro/google2fa#use-a-bigger-key Setting a 32-byte key (with prefix) results in an `Invalid barcode` error in the Google Authenticator app whereas 16-byte key seems to work fine.

kerem closed this issue

2026-02-25 20:32:11 +03:00

kerem commented

2026-02-25 20:32:11 +03:00

Author

Owner

@antonioribeiro commented on GitHub (Jul 28, 2016):

Not getting any errors, here. Just generated a pretty big prefixed key:

    private $keySize = 128;

    private $keyPrefix = 'this-is-a-prefix';

This is the generated (154 chars) key:

ORUGS4ZNNFZS2YJNOBZGKZTJPANZZ2IKXBYRBCZBPECH5T6WF3UL7X4X2N77KNGYA34EQ3DCHJ5MT3SP7TK7N5742QI4Y4ODHOMAZ4AEQZT2WV7GHAS6R4B7DTC7YUVNMQX63WBHBVYKQ6WMTK52S6E246

Look at the key and QRCode:

@antonioribeiro commented on GitHub (Jul 28, 2016): Not getting any errors, here. Just generated a pretty big prefixed key: ``` private $keySize = 128; private $keyPrefix = 'this-is-a-prefix'; ``` This is the generated (154 chars) key: ``` ORUGS4ZNNFZS2YJNOBZGKZTJPANZZ2IKXBYRBCZBPECH5T6WF3UL7X4X2N77KNGYA34EQ3DCHJ5MT3SP7TK7N5742QI4Y4ODHOMAZ4AEQZT2WV7GHAS6R4B7DTC7YUVNMQX63WBHBVYKQ6WMTK52S6E246 ``` Look at the key and QRCode: ![image](https://cloud.githubusercontent.com/assets/3182864/17229534/60f5746e-54ee-11e6-9615-fe686ddf3c16.png)

kerem commented

2026-02-25 20:32:11 +03:00

Author

Owner

@rdev5 commented on GitHub (Jul 28, 2016):

Have you tried in "in the Google Authenticator app" itself? That's what is generating the error.

@rdev5 commented on GitHub (Jul 28, 2016): Have you tried in "in the Google Authenticator app" itself? That's what is generating the error.

kerem commented

2026-02-25 20:32:11 +03:00

Author

Owner

@antonioribeiro commented on GitHub (Aug 3, 2016):

I can confirm that, but looks like this is a Google Authenticator "feature": secrect key size has to be a power of 2, so, for instance, a 512 bytes key worked, but not 511.

But Authenticator on iOS worked (read the barcode and generated codes correctly) fine with all sizes and prefixes I tried, for instance:

private $keySize = 137;

private $keyPrefix = '7H6J5KL4';

So, as Google Authenticator is probably a standard for Google 2FA, I was thinking about creating a property (and a setter) to enforce compatibility and raise an exception on incompatible keys.

/**
 * Enforce Google Authenticator Compatibility.
 */
private $enforceGoogleAuthenticatorCompatibility = true;

What do you think?

@antonioribeiro commented on GitHub (Aug 3, 2016): I can confirm that, but looks like this is a Google Authenticator "feature": secrect key size has to be a power of 2, so, for instance, a 512 bytes key worked, but not 511. But Authenticator on iOS worked (read the barcode and generated codes correctly) fine with all sizes and prefixes I tried, for instance: ``` private $keySize = 137; private $keyPrefix = '7H6J5KL4'; ``` So, as Google Authenticator is probably a standard for Google 2FA, I was thinking about creating a property (and a setter) to enforce compatibility and raise an exception on incompatible keys. ``` /** * Enforce Google Authenticator Compatibility. */ private $enforceGoogleAuthenticatorCompatibility = true; ``` What do you think?

kerem commented

2026-02-25 20:32:11 +03:00

Author

Owner

@rdev5 commented on GitHub (Aug 3, 2016):

Sounds good. I would probably suggest having it enabled by default since this project is altogether google2fa and not just a generic TOTP library.

@rdev5 commented on GitHub (Aug 3, 2016): Sounds good. I would probably suggest having it enabled by default since this project is altogether **google**2fa and not just a generic TOTP library.

kerem commented

2026-02-25 20:32:11 +03:00

Author

Owner

@antonioribeiro commented on GitHub (Aug 3, 2016):

Changes are here: github.com/antonioribeiro/google2fa@69bbda5b71. Anyone willing to test it?

@antonioribeiro commented on GitHub (Aug 3, 2016): Changes are here: https://github.com/antonioribeiro/google2fa/commit/69bbda5b719941156ed8853972214e05fa5853b9. Anyone willing to test it?

kerem commented

2026-02-25 20:32:11 +03:00

Author

Owner

@JC5 commented on GitHub (Apr 1, 2017):

So, nearly a year later, I tested it and it works fine for me!

@JC5 commented on GitHub (Apr 1, 2017): So, nearly a year later, I tested it and it works fine for me!

kerem commented

2026-02-25 20:32:11 +03:00

Author

Owner

@antonioribeiro commented on GitHub (Jun 17, 2017):