Do I need to scan a QR every time?

[lvcasgm]

Excuse my dumb question, I've managed to implement a very basic authentication program in which I generate a QR code, which I scan with Google Authenticator and verify the code correctly. My question is, once I've scanned the QR code once and I have added my new go application to my 2FA app, do I need to regenerate, scan the QR code and re-add it to my 2FA app? How can I just ask the user to enter the new code generated by his/her 2FA app and check it?

Thanks for your help!

[opb]

You need to store the totp token in your backend. And then validate against it next time.

For my small "proof of concept" app, once I have presented the QR code to the user, I store the token in my DB - first I call the ToBytes method to serialize the token, and then I base64 encode it, before saving it. At a later stage I will add encryption of the token in the DB.

Then, when the user logs in, I grab the token string from the db, base64 decode it, and then run TOTPFromBytes to generate the totp object. So I have the object, and have captured the 6/7/8 digit code from a text box. I then call the Validate method on the token, passing in the user-submitted code, which will either generate a nil response or an error.

Note that the token is stateful. I save it back to the DB every time I call Validate, as it tracks the last attempted validation, the number of failed validations and any time drift in the client.

Hope that helps