I follow the same approach explained here.
I am using PHPGangsta_GoogleAuthenticator like so:
$ga = new \PHPGangsta_GoogleAuthenticator();
$qrCodeUrl = $ga->getQRCodeGoogleUrl(urlencode('trading.com/'.$user->email), $user->two_fa_secret);
If the user has email adress = [email protected], then the app will show "trading.com/[email protected]". And the second parameter is the actual secret used to generate the code.
What bugs me, is that it generates this:
<img src="https://api.qrserver.com/v1/create-qr-code/?data=otpauth%3A%2F%2Ftotp%2Ftrading.com%252Fsomeguy%2540mysite.com%3Fsecret%3D4UYJ************&size=200x200&ecc=M" alt="Loading....">
The secret for the actual app is: XOB*************, so it's not exposing the actual secret in the URL. But can this URL not be used maliciously?
I am wondering:
- if I should not perhaps use the URL to download the QR Code instead of displaying it with the URL that the PHPGansta library generates?
- if api.qrserver.com is not a security threat, because i mean, who are they? I am sending them all the details they need to get passed the 2fa authentication. So a breach at api.qrserver.com, would be very bad for me. Or is api.qrserver.com = google, and therefore okay?
Yeah, you are not wrong... this seems like a terrible idea.
This about it this way, even if the literal secret does not appear in the URL, the QR code is enough to generate valid 2FA codes.
And yea, you are sending this code to a third party. I would strongly advise against this.
Also you are using a library called PHPGangsta, and it hasn't been updated since 2016. None of this creates trust.