[Suggestion] Parse the TOTP URL.
I was very excited when I heard 1Password was adding support to generate OTP tokens within the app, finally ditching Google Authenticator.
But I was surprised when I scanned my first QR code and saw that the app populated the "secret" field with the entire TOTP URL instead of only the "secret" parameter.
I was actually building a better OTP app than Google Authenticator so I'm familiar with how it works. The standard is pretty explicit with the parameters on the URL and it explicitly states the obligatory and optional parameters. With that info in hand, it isn't hard at all to parse the URL into something more manageable by common users. I actually have the entire parsing algorithm written for TOTP and HOTP URLs in Swift. wink, wink
While most services allow you to get the "secret" in text form instead of scanning a QR code, scanning the QR code is a convenience. I imagine many users are confused when they scan a QR code with the app and then they save the entire "totp://" string as the secret and wonder why the generated codes don't work. I think it's important to understand that not all your users are tech savvy users - even tech savvy users are not necessarily familiar with the ISO standards for HOTP and TOTP tokens - and it's because of them that scanning a QR code with the app should simply populate the "secret" field of the One-Time Password with the "secret" parameter from the URL instead of the whole URL, unless of course you are planning on populating the related fields with the proper info from the URL.
My current workaround is to delete the entire URL and leave the contents of the "secret" parameter intact.
That said, thank you for this update. I no longer have to write my own TOTP wallet and can move on with other projects I want to work in. You just need to fix this little annoyance and it will be basically perfect.
Comments
-
Hi @Leonne,
Thanks for taking the time to send us your feedback about this! You're correct that it isn't necessary to have the entire TOTP URL in that field, as the secret code alone should work fine. However, the entire URL should also work. It sounds like you may have had trouble with that:
I imagine many users are confused when they scan a QR code with the app and then they save the entire "totp://" string as the secret and wonder why the generated codes don't work.
Actually, when you scan a QR code and the entire TOTP URL is entered in the One-Time Password field, that should work just as well. I've tested this with my Logins for Dropbox and Tumblr and haven't had any problems. In both cases, they include the entire otpauth://totp/ string. Have you had a problem doing this with specific sites?
Also, even though it should work both ways, I'll be happy to file a request with our developers to parse the secret code instead of including the entire URL, since that seems to make a bit more sense.
ref: OPI-2263
0 -
Heya Drew,
It didn't work with Dropbox for me, so I ended up deleting everything in the URL but the "secret"'s contents. I don't know why it would work with Dropbox for you but not for me, that's a little bit strange... I will be adding some more TOTP tokens later today so I will see how that goes.
Also please pass on to the team that for some reason when pressing "return" in the keyboard when editing the "secret" parameter causes the app to crash sometimes.
0 -
Hi @Leonne,
That's strange, I'm not sure why it didn't work with Dropbox for you. In case it helps, we have steps in this article for setting up Dropbox’s two-step verification with 1Password. Is there anything you did differently than the steps described there?
0 -
I just added a Gmail account and it seemed to work fine without editing the URL.
Maybe I just touched something when I added my Dropbox account and I just don't remember it.
0
