What's Inside a 2FA QR Code?
Every time you set up two-factor authentication, you're shown a QR code to scan. But have you ever wondered what's actually encoded inside it? It's simpler than you might think, and understanding it gives you much more control over your 2FA setup.
The otpauth:// URI Format
A 2FA QR code contains a URI in the otpauth scheme, a standard format defined by Google and documented in the Google Authenticator Key URI Format spec. Here's an example:
otpauth://totp/GitHub:alice%40example.com?secret=JBSWY3DPEHPK3PXP&issuer=GitHub&algorithm=SHA1&digits=6&period=30Breaking Down the URI
| Part | Value | Meaning |
|---|---|---|
| Scheme | otpauth:// |
Identifies this as an OTP setup URI |
| Type | totp |
Time-based OTP (vs hotp for counter-based) |
| Label | GitHub:alice@example.com |
Issuer: AccountName shown in authenticator app |
| secret | JBSWY3DPEHPK3PXP |
Base32-encoded shared secret is the key ingredient |
| issuer | GitHub |
Service name (redundant with label, but recommended) |
| algorithm | SHA1 |
HMAC algorithm (SHA1, SHA256, or SHA512) |
| digits | 6 |
Code length (6 or 8) |
| period | 30 |
Code refresh interval in seconds |
The secret is the critical piece. Everything else is metadata that tells your authenticator app how to display and generate the codes. The secret, combined with the current time, generates every 6-digit code.
How Authenticator Apps Read the QR Code
- The app decodes the QR code image into the raw text string (the otpauth URI)
- It parses the URI to extract the secret, issuer, account name, and parameters
- It stores the secret securely in the device's secure enclave or encrypted storage
- It displays the entry with the issuer name and account name as labels
- It begins computing TOTP codes using the secret and current time every 30 seconds
The QR code is only used once during setup. After that, the app only needs the stored secret to generate codes forever.
Security Implications of the QR Code
Because the QR code contains your raw secret, it must be protected:
- Never screenshot a 2FA QR code unless you're storing it securely. A screenshot in your camera roll (synced to cloud) exposes your 2FA secret.
- Cover the QR code from shoulder surfers when scanning in public.
- The QR code is single-use by design, but technically, any app that scans it before you can re-use it. Some services let you regenerate your secret if you suspect it was exposed.
- Decode any suspicious QR code first before scanning it into your authenticator. Use our QR Code Decoder to safely inspect any QR code's contents before trusting it.
Generating 2FA QR Codes
If you're building an application that offers 2FA, you need to generate OTPAuth QR codes for your users. The process:
- Generate a random 20-byte Base32 secret for the user
- Store it encrypted in your database
- Construct the otpauth URI with the user's account name
- Generate a QR code from that URI and display it to the user once
- Ask the user to enter a code from their app to confirm successful setup
Generate secrets with our 2FA Secret Generator. Generate QR codes with our QR Code Generator — enter the full otpauth URI as the QR code content.
What If You Can't Scan the QR Code?
Every service that shows a 2FA QR code should also offer the option to "enter the code manually." This reveals the raw Base32 secret (e.g., JBSWY3DPEHPK3PXP). You can type this directly into any authenticator app.
You can also enter this secret into our browser-based 2FA generator to verify it produces the correct codes before committing to your authenticator app.
Frequently Asked Questions
Is it safe to scan a 2FA QR code on my computer screen?
Yes, that's the intended workflow. However, make sure the QR code actually came from the legitimate service (check the URL). If you're setting up 2FA via a link someone sent you (email, message), verify it came from the real service before scanning.
Can I use one QR code to add an account to multiple authenticator apps?
Yes, the same QR code (and the same secret) can be scanned by multiple apps. Both will generate valid codes. This is how you set up 2FA on multiple devices simultaneously. Be careful about who has access to the QR code.
What happens if my 2FA QR code is leaked?
If someone else has your OTPAuth URI (from the QR code), they have your TOTP secret and can generate your 2FA codes. You should immediately disable and re-enable 2FA on the affected account to generate a new secret. Treat a leaked QR code the same as a leaked password.
Can I decode my own 2FA QR code to get the secret back?
Yes, our QR Code Decoder will show you the full otpauth URI including the secret. This is useful if you want to migrate to a new authenticator app manually or verify what's in a QR code before scanning it.
