otpauth specification

Toward an Internet Standard

Although the otpauth URI scheme has provisional status with IANA, there is no consistently applied specification for otpauth URIs. The developer of this demo has authored an Internet-Draft to encourage industry alignment within an IETF standards process: draft-andesco-otpauth-uri

This demo conforms to the unofficial industry standard (archived by Google) and the proposed internet standard, including two key recommendations (as initially defined by Apple):

Optional: Save Username & Password

This demo works best after simulating an account registration and saving credentials. Your password manager (authenticator app) can then suggest associating a new verification code generator with these credentials.

does not save or validate these credentials. You are encouraged to use the default username.

Already Registered?
Sign In

Setup Verification Codes

Add your one-time password (verification code) generator to your password manager (authenticator app) using the button below or this link: Add to Password Manager

Your password manager may suggest associating it with saved credentials that match the label or issuer listed in the otpauth URI.

other options: copy Secret Key or scan QR Code

Confirm that your password manager has saved the secret key and can generate new one-time codes every 30 seconds.

Other Setup Options

Using a mobile device or a specific app should be entirely optional during setup. These fallback options are shown here to support platforms, browsers, and applications that do not support otpauth links.

Settings

Industry Standard Specifications

Apple and Google align on an industry standard otpauth specification but differ on the use of issuer label prefix and issuer parameter. This demo follows Apple’s recommendations to ensure password managers can use the issuer parameter to suggest credentials when adding a new verification code generator.

Google
Key URI Format
“If both issuer parameter and issuer label prefix are present, they should be equal.” (2018)

  • label: <proper name>:<account>
  • issuer parameter: issuer=<proper name>

Apple
Securing Logins with […] Verification Codes
The issuer parameter is “the domain of the site or app” while the issuer label prefix is “the proper name of your service.” (2021)

  • label: <proper name>:<account>
  • issuer parameter: issuer=<domain>