[GH-ISSUE #173] Is it possible to add enable 2FA using this library via a code (i.e. not using a QR code)? #81

New issue

Closed

opened 2026-02-25 20:32:22 +03:00 by kerem · 1 comment

kerem commented

2026-02-25 20:32:22 +03:00

Owner

Originally created by @shanehoban on GitHub (Mar 12, 2022).
Original GitHub issue: https://github.com/antonioribeiro/google2fa/issues/173

Using Authy as an example, in the cases where the user cannot scan a QR code, you have the ability to enter a code to enable 2FA:

....you can add accounts by entering the code provided by the service in which you want to enable 2FA.

Can this library support this option or is this something that can be implemented?

Thanks, otherwise this works flawlessly, much appreciated!

Edit: Image example

Originally created by @shanehoban on GitHub (Mar 12, 2022). Original GitHub issue: https://github.com/antonioribeiro/google2fa/issues/173 Using Authy as an example, in the cases where the user cannot scan a QR code, you have the ability to enter a code to enable 2FA: > ....you can add accounts by entering the code provided by the service in which you want to enable 2FA. Can this library support this option or is this something that can be implemented? Thanks, otherwise this works flawlessly, much appreciated! Edit: Image example ![image](https://user-images.githubusercontent.com/1383797/158015580-cc421b18-fa0a-4ed3-97c6-1388cce943b5.png)

kerem closed this issue

2026-02-25 20:32:22 +03:00

kerem commented

2026-02-25 20:32:22 +03:00

Author

Owner

@antonioribeiro commented on GitHub (Jun 13, 2022):

The QRCode composed by an address like this:

otpauth://totp/company:holder?secret={$secretKey}&issuer=company&algorithm=SHA1&digits=6&period=30

What you are looking for is probably the just "secret key", which is the one responsible for generating the codes on your phone, that you may be already using like this:

$google2fa->generateSecretKey();

Authy is doing is probably encoding that secret key using an internal algorithm, but if in the end if they are using the same OTP Google algorithm, they have to use the exact same secret key generation this package uses.

The risk of losing a QRCode and a secret key are the same, if you loose one of them your account is already compromised, so maybe you don't even need to double encode it (but, honestly, I would!) and you could just do

$google2fa->generateSecretKey(); // generates AL77CK2NTRXXF2WO

echo implode(' ',str_split(strtolower($google2fa),4)); 

// al77 ck2n trxx f2wo

@antonioribeiro commented on GitHub (Jun 13, 2022): The QRCode composed by an address like this: ``` otpauth://totp/company:holder?secret={$secretKey}&issuer=company&algorithm=SHA1&digits=6&period=30 ``` What you are looking for is probably the just "secret key", which is the one responsible for generating the codes on your phone, that you may be already using like this: ``` php $google2fa->generateSecretKey(); ``` Authy is doing is probably encoding that secret key using an internal algorithm, but if in the end if they are using the same OTP Google algorithm, they have to use the exact same secret key generation this package uses. The risk of losing a QRCode and a secret key are the same, if you loose one of them your account is already compromised, so maybe you don't even need to double encode it (but, honestly, I would!) and you could just do ``` php $google2fa->generateSecretKey(); // generates AL77CK2NTRXXF2WO echo implode(' ',str_split(strtolower($google2fa),4)); // al77 ck2n trxx f2wo ```

kerem referenced this issue

2026-02-25 20:32:36 +03:00

[PR #81] [MERGED] Fix spelling #146

kerem referenced this issue

2026-03-01 17:49:27 +03:00

[PR #81] [MERGED] Fix spelling #380

kerem referenced this issue

2026-03-14 12:16:01 +03:00

[PR #81] [MERGED] Fix spelling #615