Our website can be both opened from a desktop and from a mobile device. When users set up an MFA on a desktop, it makes sense for them to scan the QR code straight from their PC's screen using a mobile phone camera. But when they logged in on a mobile device, it would be pretty hard for them to scan a QR code on the same device they're currently using. I checked the way Google does it in account settings (logged in via Chrome on Android):
So, by default they suggest scanning the QR code but when I click "I can't" they suggest I copy-paste the secret myself.
But for sure they track that the user is logged in from a mobile device, why don't they just display an otpauth:// link instead? I tried doing it in my app and it works like a charm (at least on Android, can't check on iPhone right now, but here's an example link for you if you've got a chance to test this on iPhone):
otpauth://totp/test@example.com?secret=wonttellyouthat&algorithm=SHA1&digits=6&period=30&issuer=superwebsite
upd: SOF won't make it clickable - must be for security reasons, but on my site I can do this with no issues. Wrapping this into a code snipped works on Android in Chrome, when "Request Desktop Site" checkbox is checked:
<a href="otpauth://totp/test@example.com?secret=wonttellyouthat&algorithm=SHA1&digits=6&period=30&issuer=superwebsite">otpauth://totp/test@example.com?secret=wonttellyouthat&algorithm=SHA1&digits=6&period=30&issuer=superwebsite</a>By clicking on it, Android suggest that I may use either Microsoft or Google authenticator, which means Google's app support this trick. I also have LastPass installed, but that one doesn't pop up though.
It seems to me that this solution is much more user-friendly and curious why wouldn't Google allow this for users? Must be some pitfalls I don't consider?
