0

I'm trying to implement 2FA using Twilio Authy using Laravel 5.8. I'm looking to add the functionality where user can scan the QR Code or manually enter the code to add an account to Authy app on their phone. I followed https://www.twilio.com/docs/authy/api/users#add-a-user-without-providing-email-or-phone-number and able to generate QR Code using online QR generator, but I'm not able to find any documentation on how to generate a 16 digit alphanumeric secret key to manually enter in Authy app instead of scanning QR Code. How can I accomplish that?

Peter O.
  • 32,158
  • 14
  • 82
  • 96
turtle
  • 1
  • 1

1 Answers1

0

Twilio developer evangelist here.

When you create the QR code to add a user to the Authy app without entering their phone number or email, you generate a QR code using a URL that looks like this:

authy://account?token={JWT}

The JWT contains a custom user id which means you can later get that user's status by polling or listening for requests to a custom webhook.

This means that the user's Authy account is connected to you Authy application, but you didn't need to take the phone number or email address.

If you just provided the alphanumeric secret key to enter in the app, then there wouldn't be a way to connect the user account.

The alternative is to take the user's phone number and email address and register them as a Authy user, and then generate a QR code that they can use in any authenticator app. Admittedly this API only returns you a QR code, though that QR code will contain within it your alphanumeric secret. In this instance, you would have to take the user's email and phone number and read the QR code in your application yourself, but you could get the secret that way.

philnash
  • 70,667
  • 10
  • 60
  • 88
  • Hi Phil, thank you so much for the information. I would like to do something like https://authy.com/guides/linkedin/ where you have an option to enter key manually incase you can't scan the QR code. In this guide, you can choose 'verification method using authenticator app' and it generates a QR code and a secret key without user requiring to enter their phone number. How is this secret key generating in this case? – turtle Feb 22 '21 at 15:59
  • That is possible there because LinkedIn is not using the Authy API to power their 2FA. I can't tell you how they generate their secret though, as I don't know. For some reason, the Authy API does not provide the raw secret, just a QR code. But as I said in my answer, if you read the QR code in your application using a QR library, you could extract the secret yourself and then display it. – philnash Feb 23 '21 at 04:22