Google authenticator invalid barcode on scan

Question

here's my code in generating the qr code

public function getUrl($user, $hostname, $secret) {
      $encoder = "https://chart.googleapis.com/chart?chs=200x200&chld=M%70&cht=qr&chl=";
      $encoderURL = sprintf( "%sotpauth://totp/%s@%s",$encoder, $user, $hostname);
      $finalEncodorURL = $encoderURL . "%26secret=". urlencode($secret);
      return $finalEncodorURL;
}

supposedly this will generate a qr code, and it does. but when i scan this code using google authenticator app, it will generate an error

The barcode 'otpauth://totp/[email protected]&secret=UOPKN6QFW3J6PW74' is not a valid authentication barcode.

but when "manual entry" using the secret key, it'll work and i can login just fine using the generated key.

i found stuffs in the internet saying i should urlencode the data, i did, but still it wont work.

here's a sample url generated by the function above:

https://chart.googleapis.com/chart?chs=200x200&chld=M%70&cht=qr&chl=otpauth://totp/[email protected]%26secret=UOPKN6QFW3J6PW74

am i missing something or did something wrong?

Answer 1

Just replace &secret= with ?secret= (don't forget to url-encode).

Also I don't know if this is the case here but the account name cannot have a space. It would work if you scan with Androids, but not with iPhones (go figure!)

Answer 2

It appears that both Google and IOS Authenticator apps don't like spaces in the 'Account Name' in OTP QR Codes. Replace them with something like - or _ or remove them.

The Windows phone app allows spaces and a version I installed on a Android Phone 6 months ago worked. I didn't get chance to test IOS but it looks like IOS has an issue. Entering the key manually works just fine but not scanning a QR Code with a SPACE in it.