otpauth specification

Towards an Internet Standard

Although the otpauth URI scheme has provisional status with IANA, there is no consistently applied specification for otpauth URIs. This site accompanies the proposed Internet-Draft authored to encourage industry alignment within an IETF standards process: draft-andesco-otpauth-uri

This is a UX and interoperability demo, not a credential-storage or account-security demo. It uses an intentionally public, non-rotating default secret so the same otpauth URI can be inspected, changed, restored, and compared across setup paths.

The demo follows the deployed industry convention documented by Google, the current password-manager guidance documented by Apple, and the proposed Internet-Draft requirements, including this distinction:

Industry Standard Specifications

Google’s archived Key URI Format established the deployed otpauth convention used across authenticator apps. Apple’s current password-manager guidance describes a more precise UX model for credential setup: the issuer label prefix can name the service for display, while the issuer parameter can identify the site or app for credential matching.

The proposed Internet-Draft reconciles both needs: deployed consumers must continue to accept Google-style URIs where the issuer label prefix and issuer parameter are the same, while modern password managers benefit from treating the issuer parameter as the stable identifier for account matching.

This demo follows that direction. The issuer label prefix is human-readable display text, and the issuer parameter is the stable service identifier used for credential matching and suggestion.

Google: Key URI Format

“If both issuer parameter and issuer label prefix are present, they should be equal.” (2018)

  • label: <proper name>:<account>
  • issuer parameter: issuer=<proper name>

Apple: Securing Logins with […] Verification Codes

The issuer parameter is “the domain of the site or app” while the issuer label prefix is “the proper name of your service.” (2021)

  • label: <proper name>:<account>
  • issuer parameter: issuer=<domain>

Proposed Internet-Draft Requirements

This table summarizes how the demo maps to draft-andesco-otpauth-uri. It is specific to the TOTP URI generated by this page.

Component Draft status
otpauth scheme Required URI scheme
totp type Valid OTP type
label Required path component
secret Mandatory; exactly one value
issuer Recommended
algorithm Optional; default is SHA1
digits Optional; default is 6
period Optional for TOTP; default is 30
issuer label prefix Optional compatibility/display value

Demo

Settings

Display name for the service. Must not contain a colon.

Account name for the label. Must not be empty. Must not contain a colon.

This public demonstration secret is intentionally shared and must not be used for a real account. The secret must be unpadded Base32 text.

Optional: Save Username & Password

This demo works best after simulating an account registration and saving credentials. Your password manager (authenticator app) can then suggest associating a new verification code generator with these credentials.

does not save or validate these credentials. Use the default username and never enter a real or reused password.

Already Registered?
Sign In

Setup Verification Codes

Add your one-time password (verification code) generator to your password manager (authenticator app) using the button below or this link: Add to Password Manager

Your password manager may suggest associating it with saved credentials that match the label or issuer listed in the otpauth URI.

other options: copy Secret Key or scan QR Code

Confirm that your password manager has saved the secret key and can generate new one-time codes every 30 seconds.

Other Setup Options

Using a mobile device or a specific app should be entirely optional during setup. These fallback options are shown here to support platforms, browsers, and applications that do not support otpauth links.