DevToolbox

Set Up Google Authenticator with TOTP

Step-by-step guide to setting up Google Authenticator with TOTP. Learn how to generate secrets, create QR codes, and verify enrollment from your server-side application.

Platform Integration

Detailed Explanation

Integrating Google Authenticator with Your Application

Google Authenticator is the most widely used TOTP authenticator app, with over 100 million installs. Integrating it into your application requires generating a secret, presenting a QR code, and validating the first code to confirm enrollment.

Prerequisites

Your server needs the ability to:

  • Generate cryptographically secure random bytes
  • Encode bytes as Base32
  • Generate QR codes (or use a client-side library)
  • Compute HMAC-SHA1

Step 1: Generate and Store a Secret

import secrets, base64

# Generate 20 random bytes
secret_bytes = secrets.token_bytes(20)
# Encode as Base32 (strip padding)
secret_b32 = base64.b32encode(secret_bytes).decode('ascii').rstrip('=')
# Store encrypted in database, associated with user

Step 2: Build the otpauth:// URI

from urllib.parse import quote

issuer = "YourApp"
account = "user@example.com"
uri = f"otpauth://totp/{quote(issuer)}:{quote(account)}?secret={secret_b32}&issuer={quote(issuer)}"

Step 3: Display as QR Code

Render the URI as a QR code on your enrollment page. Users scan this code with Google Authenticator, which automatically imports all parameters.

Step 4: Verify Enrollment

Before enabling 2FA, require the user to enter the current TOTP code displayed in their app. This confirms:

  • The secret was transferred correctly
  • The user's device clock is reasonably synchronized
  • The app is properly configured

Step 5: Generate Backup Codes

Always provide 8-10 one-time backup codes that the user can store separately. These are essential for account recovery if the user loses their device.

Google Authenticator Limitations

  • No cloud backup (by default) — users lose all codes if they lose their phone
  • SHA-1 only — the algorithm parameter may be ignored
  • No push notifications — it is purely code-based
  • Export is manual — transferring to a new phone requires re-enrollment or QR export

Migration Considerations

If users switch phones, they need to either:

  1. Export accounts via Google Authenticator's transfer feature
  2. Re-enroll by scanning a new QR code
  3. Use backup codes to regain access and re-enroll

Consider offering multiple authenticator options (Authy, 1Password) alongside Google Authenticator.

Use Case

Backend developers adding two-factor authentication to their web application need a clear implementation guide for Google Authenticator integration. This walkthrough covers the complete enrollment flow from secret generation through verification, which is the most common path for adding TOTP-based 2FA. It is especially useful when building the enrollment UI, handling edge cases like failed QR scans, and planning for device migration scenarios.

Try It — TOTP Generator

Open full tool

Related Topics

TOTP QR Code for Authenticator Apps

Security

TOTP Backup Codes and Recovery

Security

Generate a TOTP Secret Key

TOTP Basics

otpauth:// URI Format for TOTP

Configuration