Andotp: Please add support for QR-codes for Microsoft authenticator (phonefactor URIs)

Created on 10 Aug 2019  路  8Comments  路  Source: andOTP/andOTP

General information

  • App version: 0.6.2
  • App source: F-Droid
  • Android Version: (Android 9)
  • Custom ROM: LineageOS 16.0

Expected result

What is expected?
Is it possible to add support for the QR-Codes used by Microsoft Authenticator (encoding the phonefactor-URLs)? They seem to implement OATH, too, but use an own URI scheme (URIs like phonefactor://activate_account?code=NNNNNNNNN&url=https%3a%2f%2fmyurl.com).

This would be of great help for me. Many thanks in advance (also already for the app in its current state^^)!

What does happen instead?
The URIs are not supported.

Logcat

Steps to reproduce

Scan a QR-Code for Microsoft Authenticator.

enhancement

Most helpful comment

Hi all,

it actually does work with andOTP. As always they're trying to push their own 2FA methods, however, they're still supporting the standard ones, although it's a bit hidden (same with Uber for example). Nonetheless, it would be cool if andOTP supported these methods as well.

screen

This is straight from the Azure portal. It's in German, but the red-circled button says something like "Configure app without notification". If you click on that it will show a QR-code that works with andOTP. I'm using that and it works perfectly.

Greetings

All 8 comments

If they in fact use one of the standard OTP algorithms (TOTP or HOTP) it should be doable. Could you provide an example of a site that uses one of those QR-Codes?

I came here because my company wants me to set up 2FA with Azure and indeed it doesn't work with andOTP. Can I do something to help out?

Hi all,

it actually does work with andOTP. As always they're trying to push their own 2FA methods, however, they're still supporting the standard ones, although it's a bit hidden (same with Uber for example). Nonetheless, it would be cool if andOTP supported these methods as well.

screen

This is straight from the Azure portal. It's in German, but the red-circled button says something like "Configure app without notification". If you click on that it will show a QR-code that works with andOTP. I'm using that and it works perfectly.

Greetings

Hi all,

sorry for my late reply, but I'm pretty under time pressure at the moment.

The page where I tried to register seems to be an internal one, therefore I can not show the original page. The problem is that the "Configure app"-link is not available on that page, so unfortunately this does not work in this case. But many thanks anyway!

@moritzgloeckl If you were able to see both a QR code for MA as well as a "conventional" QR code for the same login: Could you compare them and if so, did you spot some clues how they generate the QR codes/the URLs compared to the conventional ones? My own search has not been very successful so far.

Best regards

Hi @jens-br

It seems that companies are able to disable the usage of the "Configure app"-link. The PhoneFactor QR-code (the one that Microsoft forces you to use) contains phonefactor://activate_account?code=NNNNNNNNN&url=XXX, while the normal QR-code adheres to the standard OTP specifications. I haven't been able to find any correlations between those codes or a way to convert them. There's also little documentation available. But you can actually browse the URL, which seems to be some kind of API, so it might be possible to query it to get some information. However, it's not really documented (I think it's only used by Microsoft's own apps, so you're not supposed to use it).

Maybe ask your IT administration to enable the usage of other apps.

Greetings

From the phrase "configure app without notifications" I assume the default way used some type of push notifications and not the standard TOTP or HOTP tokens. In that case it won't be able to add support for it to andOTP.

That would be a pity. I'll see if I can find some more information about this.

As far as I can tell from my research those phonefactor URLs use a different OTP method (not standard TOTP or HOTP). So it won't be possible to implement this in andOTP.
I'm closing this for now, if you find out something more about the exact method feel free to reopen.

Was this page helpful?
0 / 5 - 0 ratings

Related issues

ageev picture ageev  路  4Comments

SkewedZeppelin picture SkewedZeppelin  路  4Comments

MartinX3 picture MartinX3  路  4Comments

RichyHBM picture RichyHBM  路  3Comments

asmw picture asmw  路  8Comments