Scenario 1Thief found a home safe key in a park with a full house address labeled on the key. All he has to do is find a way to break into a victim’s house and unlock a safe box with this key. Not a big deal for a professional thief.Scenario 2Now let’s take the same situation but without an address on a key. Thief will be stumped trying to figured out the owner. Thief might get access to outdoors cameras or stay around in the park for a few weeks to figure out regular visitors hoping that some of them lost the key. But anyway thief will have to break into a few houses in order to find a target safe. And by the time he does it, there should already be a new safe box with a new key.The difference between these scenarios is that in the second one a potential victim didn’t expose sensitive information to a public that can compromise a system. That brings us to the main point of this article.You shouldn’t scan 2-factor authentication (2FA) QR codes if: - security is your primary goal for using 2FA and not just a company requirement - you use separate email addresses for different aspects of life (personal, work, banking, etc) - you don’t use both your computer and a mobile device to log into same services.Unnecessary dataHere is a deal, most services that allow 2FA also include completely unnecessary data in their QR codes like domain name and your email address.But in order to log into your account, all you need is any TOTP-generator app and an appropriate secret key. That’s all. So all additional data becomes a security vulnerability that can be exploited.Spoiler: if a service says that it supports Google Authenticator for 2FA, it actually means that you can use any TOTP (Time-Based One-Time Password) app like Authy, Authentication Plus, FreeOTP, LastPass, etc.Exposed dataNow imagine that you’ve lost your phone or installed some malicious software that exposed your data to a potential hacker.
Scenario 1. A hacker will get your 2FA secret key with a domain name and an email address, so all he has to do is break or intercept your password.Scenario 2. Now let’s take the same situation but without a domain name and email address in your authentication app. So before breaking your password hacker will have to find out a domain name and your email address which will dramatically slow him down. If you didn’t expose that email address elsewhere, hacker might even give up on you (unless you are a really big fish).So the only benefit of having a domain name and an email address to be written down in the authentication app is that you won’t forget them, but that’s a questionable benefit unless you have 50 different accounts with 2FA enabled. And don’t forget that you can always add custom notes that don’t expose your email addresses.Secret keyNow when we agree not to scan 2FA QR codes, let’s think how can we enable 2FA without introducing potential security vulnerabilities.Most services provide secret key together with QR code, so you can just type in this key into your authentication app and use appropriate settings if your app requires that. In most cases default settings will be good to go:1. Time-based (TOTP)2. 30 seconds interval3. 6 digits passcode4. SHA1 algorithm (has been broken in 2017, but is still used for TOTP)Warning: don’t forget to save your secret key in a safe place because you will need it again when changing or losing a mobile device.Already scanned QR codesIf your primary goal is security, then it’d be better to add again your existing accounts to your authentication app using only security keys and custom notes and delete old ones after making sure that both show same passcodes.There is no security keySome services show only QR code without any secret key when user tries to enable 2FA. That’s a very questionable decision, but those companies probably have their own reasons.