Once in awhile I need to register a second factor token on another device or recreate it on a device where it already existed. I have this Android tablet that has crashed again (reset itself to factory defaults.) And without fail, I have to look up how I recreate the MFA tokens again, and that's just a waste of time.
So, I use Google Authenticator on Android for most but not all of my 2FA tokens. I wanted to create a QR code rather than type in the codes again. The ones for AWS are 64 characters long, and that's going to be error prone. You can create a code using qrencode from the command line, so all I needed to know was what the format was for the TOTP URL that Google Authenticator expects.
It looks like this:
otpauth://totp/USERID?secret=CODE&issuer=ISSUER
USERID is an identifier specific to the user. The CODE is naturally the character string of letters and numbers that are used along with the time to generate the displayed codes for TOTP. My codes are typically 16 characters or more. ISSUER is another identifier that is displayed, usually who it's for. AWS for example.
So you'll end up with a URL like:
otpauth://totp/username@example.com?secret=gspgyhh4bb5iqswn&issuer=Fake
And then you display it as a QR code (in a suitable terminal... I've tried xterm, xfce4-terminal, and mate-terminal for this):
qrencode -tANSI256 'otpauth://totp/username@example.com?secret=gspgyhh4bb5iqswn&issuer=FAKE'
Generated an entire list of these with:
xargs -n 1 -ITOTP qrencode -tANSI256 TOTP < otp.urls
Scan one at a time, and you're in business.
One thing that I will mention, because I think it's important to be explicit about this: don't just leave your OTP token codes in an unencrypted file waiting to be pilfered. It's common sense that these should be protected over and above your normal data, and preferably kept separate from something like KeePass or whatever you store your passwords in, if you store them. Be smart about it.
One more thing I did discover while writing this is that not all randomly generated codes are equal. Some of the longer ones I generated to test it gave me "Key not recognized". I've never seen that, but perhaps I just have an error in the URL that I was unable to see. I'll update this if I figure it out.