1

I am new to web design and building a website that uses two-factor authentication (using the Google Authenticator app). When registering as a new user, the user fills out a form in which they choose a username and password. When this is submitted, a unique secret key is generated for the user, and converted into a QR code for the user to scan with their authenticator app to generate one-time-passwords with their phone.

The QR code is generated in the Java servlet; my thoughts were I would then pass this as a request parameter to the corresponding JSP, as I want this QR code to display on the next page, along with another form where the user types in their one-time-password to verify their registration. I am not sure of the best way to do this; is there a way to do it without first having to write the QR code to an image file? I looked at using Google Charts but the API for QR codes is now deprecated.

Ash
  • 61
  • 6

1 Answers1

-1

You can use jQuery (can pass the secret key via URL and launch generation client side ): https://larsjung.de/jquery-qrcode/ Google Chart QR generation is still working, there is no info on when they will stop the service completely (deprecation does not necessarily mean they will definitely discontinue) Sample: https://chart.googleapis.com/chart?cht=qr&chl=otpauth://totp/Example:alice@google.com?secret=JBSWY3DPEHPK3PXP&issuer=Example&chs=160x160&chld=L|0

Emin
  • 573
  • 3
  • 13
  • Down-voted because using *any* online service breaks the fundamental premise of TOPT MFA, that the *secret* remains a *secret*. In this case you are giving a third party not only your secret, but the username and service as well. – Lawrence Dol Nov 04 '22 at 18:18