Unsupported QR code?

jribbens · January 2019

I was trying to add a one-time password for https://dcd.ionos.com/ and the iOS app just kept saying "unsupported QR code". The QR code contained the following URL:

otpauth://totp/IONOS Enterprise Cloud:user@example.com?secret=ABCDEFGHIJKLMNOP&issuer=IONOS Enterprise Cloud

I eventually managed to get it working by using the Windows 1Password application and entering the URL manually, so clearly the QR code is not unsupported after all. Perhaps it's the spaces in the URL?

(As an aside, the user interface for adding one-time passwords in Windows is abysmal. You get a text box, you can enter stuff in it but there is no obvious combination of key presses or mouse clicks that cause it to accept the data. You can also choose to grab a QR code 'from my screen' but it appears to do nothing at all.)

1Password Version: 7.2.6
Extension Version: Not Provided
OS Version: iOS 12.1.2
Sync Type: Not Provided

Ben · January 2019

Hi @jribbens

I've been testing this and both 1Password for iOS and 1Password for Mac took the string you posted and generate TOTP codes based on it without error. I don't suppose you saved a copy of the QR code itself, did you? If you did would you be willing to email that to us? I'd only recommend doing this if the website in question allows you to turn off TOTP and then re-enable it to get a new secret. If so I'd recommend doing that before sending it. You can email it to us at support+forum@1password.com and then post the support ID you get back here so we can 'connect the dots'.

Thanks.

Ben

jribbens · January 2019

Ok I've done that, the ID is [#ADY-35126-579]. I've also looked into it some more and they're displaying the QR code with:

<img src="https://chart.googleapis.com/chart?chs=200x200&cht=qr&chl=otpauth://totp/IONOS%20Enterprise%20Cloud%3Auser%40example.com%3Fsecret%3DABCDEFGHIJKLMNOP%26issuer%3DIONOS%20Enterprise%20Cloud">

which on the one hand seems hideously insecure but on the other hand no less hideously insecure than the rest of the web :|

It is the spaces as I suggested in my original message, if I replace the %20s in the above URL with %2520 then everything works fine. This is both a bug at their end and something you could perhaps be helpful by being more lenient about.

rudy · January 2019

@jribbens,

Yup, space characters aren't a valid encoding for that data, they should be % encoded as %20.

jribbens · January 2019

Yeah I've filed a bug report with IONOS but I think you should probably update 1Password too; it would seem that Google Authenticator app accepts the spaces so there'll probably be more QR codes out there with spaces in.

Ben · January 2019

Thanks for the suggestion. Right now we're following the spec, so changing this would be stepping outside of the spec. If it becomes a widespread problem we may have to look at doing that, but for right now I think we're pretty intent on being spec compliant.

Ben

Unsupported QR code?

Comments