How to enable 2nd Device for TOTP?

When login to nc i use my phone to generate the 2nd factor.

If phone is not in range i will use my tablet as 2nd verification generator instead.
How can i make nc16.0.3 generating a second QR Code for my tablet?

QR Code for the phone comes automatically by enabling TOTP but i don’t want to disable and re-enable TOTP again…

NC will only present the QR code once… However, depending on the TOTP app you’re using on your phone, you might be able to export or display that QR code again.

If both devices are Apple, you may be able to sync the TOTP app data with iCloud. Authy also has an option to sync between devices I believe. If you used Google Authenticator then you may not have any other options.

Authy on iOS is also, what I am using - recommding it strongly. Authy will also show you the QR code for each stored TOTP secret, even without syncing through iCloud…

I don’t have 2 iOS devices so there is no way to sync between 2 apple devices.

Never the less, there should be a trigger to enable QR Code more than once…

Is it possible, to disable TOTP and reenable it with making a screenshot of the new QR for further devices? Will i loose all my app-tokens in that case??

I believe in the exact opposite!
You already have an option to save the screenshot of the QR code during creation.
Providing tools to recover the key introduces nothing but vulnerability…

You already have an option to save the screenshot of the QR code during creation.

Then it is obligatory to make a big hint to that circumstance! A popup maybe … or red text to lead the user to this important information

Can you answer my main question?

Will i loose all my app-tokens in that case??

What does “disable TOTP” mean? TOTP the app you installed?

It will not repeat itself, ever, if that’s what you mean.
So, you can’t enroll a second device after the fact…

And yes, user assigned TOTPs are forgotten the moment you disable it…

It means -> enter user settinghs area and disable the tag of TOTP, so account is set back to login with username+keyword

…but with the screenshot of the QR Code i can enable two or more TOTP devices with that once created QR?

Yes, you can. That’s the weakness of this implementation…

Some implementations allow only one device to be used, e.g. the RSA soft token or privacyIdea…

Yes, you can do that. In the end, the secret ist just the starting point of the pseudo-random number generator, you’re initializing with this code and that would be the same on any device you feed the secret to.

If you disable TOTP for your account and re-enable it, you will be presented a new QR code, which you can use for that. Print it out and file the sheet in a cabinet - safe from cyber attacks. :wink:

But that didn’t happen :wink:
I disabled TOTP and re-enabled it -> got a new QR Code and saved it to my keepass2 as file attach. Deleted the file after that.
And all my Tokens were still there…and continued working

You mean you application passwords? They are not derived from the TOTP code and are completetly separate - so yes, you are to keep them, even when swapping the TOTP secret.

And that last part means the old ones got lost/forgotten…

…that was my main purpose :slight_smile:

That answer made me struggle a while to do a reset of my TOTP - but now with keeping all my app passwords it is no problem.

Never the the less, the creators of TOTP App should integrate a hint for users to save their QR Code / Secret .

Again, I believe the opposite.
The creator should authorize the device so just one can be used.
This makes the saved picture of the QR a useless piece of paper…

@anon71540698, this is not possible with TOTP. As I explained earlier, the TOTP secret ist the IV (initialization vector) for a PRNG, a pseudo random number generator. This generator will always create the same “random” numbers for a given point in time, so it’s “reusable” by nature and the server can’t tell if the provided pin came from one device or the other.

I also deem it safe enough to print out the QR code and file it in a drawer, as someone would have to brake into your house/office on purpose, to get that paper.

If both, the server and authenticator support it, you can make the enrollment process a 2-step one, as shown here for example
https://privacyidea.readthedocs.io/en/latest/workflows_and_tools/2step/