Use TOTP token with display

[AFUman]

Is your enhancement related to a problem? Please describe.

Hello,
I would like to use 2FA with a hardware TOTP token. Is there a way to enter a predefined seed instead of having one generated?

Greetings
Chris

Proposed Solution

No response

Designs

No response

Describe alternatives you've considered

No response

Please confirm that you have searched existing issues in this repository.

Yes

[dd32]

Is there a way to enter a predefined seed instead of having one generated?

No, That is not currently supported by the plugin.

Hardware tokens would normally use WebAuthN instead of TOTP however, such as via #427 or https://wordpress.org/plugins/two-factor-provider-webauthn/

(Edit: Just noting, Hardware keys which provide a TOTP seed do exist, and supporting it would technically be feasible, I'm unsure if the plugin would wish to support that however.)

[kasparsd]

It seems that no other service provider currently allows you to specify the secret.

Technically, this would require some JS work to allow a user override for the generated secret that gets sent during the setup:

two-factor/providers/class-two-factor-totp.php

Line 361 in 6a95e7f

var key = $('#two-factor-totp-key').val(),

and we should also ensure that it doesn't contain invalid characters per:

two-factor/providers/class-two-factor-totp.php

Lines 456 to 471 in 6a95e7f

	/**
	* Check if the TOTP secret key has a proper format.
	*
	* @param string $key TOTP secret key.
	*
	* @return boolean
	*/
	public function is_valid_key( $key ) {
	$check = sprintf( '/^[%s]+$/', self::$base_32_chars );
	if ( 1 === preg_match( $check, $key ) ) {
	return true;
	}
	return false;
	}

Practically, you can currently use the browser inspector to replace the value of the hidden two-factor-totp-key field and it will store that secret instead.

I recommend we don't implement this as the built-in functionality for this plugin.