Barcode-Based Authentication & 2FA

<\/script>\n
'; }, get iframeSnippet() { const domain = 'barcodefyi.com'; const type = 'guide'; const slug = 'barcode-authentication-2fa'; return ''; }, get activeSnippet() { return this.method === 'script' ? this.scriptSnippet : this.iframeSnippet; }, copySnippet() { navigator.clipboard.writeText(this.activeSnippet).then(() => { this.copied = true; setTimeout(() => { this.copied = false; }, 2000); }); } }" @keydown.escape.window="open = false" @click.outside="open = false">

Embed This Widget

Theme


      
    

Widget powered by . Free, no account required.

How barcodes enable two-factor authentication — TOTP QR setup codes, secure login flows, and the otpauth:// URI scheme.

Barcode-Based Authentication & 2FA

Barcodes play a crucial role in two-factor authentication (2FA) systems. The QR code you scan when setting up Google Authenticator or similar apps encodes a standardized URI that configures the time-based one-time password (TOTP) algorithm.

The otpauth URI Scheme

When you set up 2FA, the service displays a QR code encoding an otpauth URI:

otpauth://totp/Example:[email protected]?secret=JBSWY3DPEHPK3PXP&issuer=Example&algorithm=SHA1&digits=6&period=30
Parameter Description Default
Type totp (time-based) or hotp (counter-based) totp
Label Account name and issuer Required
Secret Base32-encoded shared secret Required
Issuer Service name Recommended
Algorithm Hash algorithm SHA1
Digits OTP length 6
Period Time step in seconds 30

How TOTP Works

  1. Service generates a random shared secret
  2. Secret is encoded in a QR code (otpauth URI)
  3. User scans the QR with their authenticator app
  4. Both the service and the app now share the same secret
  5. Every 30 seconds, both sides compute: HMAC-SHA1(secret, floor(time/30))
  6. The result is truncated to a 6-digit code
  7. User enters the code; the service verifies it matches

QR Code Setup Flow

  1. User enables 2FA in their account settings
  2. Service generates a cryptographically random secret
  3. Service displays a QR code encoding the otpauth URI
  4. User scans the QR with their authenticator app
  5. App adds the account and begins generating codes
  6. User enters a current code to verify setup
  7. Service stores the secret (encrypted) and enables 2FA

Authenticator Apps

App Platform Open Source
Google Authenticator iOS, Android No
Microsoft Authenticator iOS, Android No
Authy iOS, Android, Desktop No
FreeOTP iOS, Android Yes
Bitwarden All platforms Yes

All apps use the same otpauth URI standard, so they are interchangeable.

Security Considerations

  • Secret transmission: The QR code contains the shared secret in plain text. Display it only on trusted devices and over secure connections.
  • Backup codes: Provide backup codes in case the user loses access to their authenticator
  • Recovery: Plan a recovery process for users who cannot generate codes
  • QR code exposure: The QR code should be shown once and not stored; displaying it again requires re-authentication

QR Code Login (Non-2FA)

Some services use QR codes for passwordless login:

  1. Login page displays a QR code with a session token
  2. User scans with the service's mobile app (already authenticated)
  3. App sends the session token + user credentials to the server
  4. Server authenticates the session
  5. Login page automatically logs in

Examples: WhatsApp Web, Slack, Discord.

Implementation Notes

  • Use a cryptographically secure random number generator for secrets
  • Encode secrets in Base32 (required by the otpauth standard)
  • Generate QR codes at error correction level M (15%) or higher
  • Include the issuer parameter for clear identification in authenticator apps
  • Test with multiple authenticator apps before deploying