Rolex Forums - Rolex Forum - View Single Post

WillC · 30 March 2025, 07:35 PM

I found a solution for anyone that wants to enable 2FA!

For anyone that wants to disable/then re-enable or just enable for the first time, here are the steps:

Go to your UserCP and then the 2FA section.

When you get to the page that has the recovery key, you should see a broken image. Store the recovery key someplace safe (as usual).

Now, view the page source. In the page source, you want to search for "chart.googleapis.com". This is what generates the (now broken) QR image. At the end of that line, you should see something like "secret%3DABCD1EFGHIJKL"

The part AFTER the %3D is the secret -- ie: ABCD1EFGHIJKL. If your 2FA app allows you to manually enter the secret, then you can just enter it. Or you can use this site to generate the QR code and scan it in: https://stefansundin.github.io/2fa-qr/ You just need to copy/paste in the secret (again, the part AFTER %3D).

If you create the QR code, you just keep it as TOTP and do not need to adjust any of the "Advanced Options"

For people that want to double check to make sure they have the correct secret, you can copy the entire URL and paste it into: https://www.urldecoder.org/

It should give you the same thing since %3D is unicode for "="

Once you entered the secret into your TOTP app, or scanned the QR from above, it'll generate the TOTP code and you can enable 2FA on your account. If you mistyped the secret, it won't validate when you hit submit.

For anyone curious, I just re-enabled 2FA on my account since I switched off my previous 2FA app (Authy) about a month ago to a new one (Ente Auth). I know it works because I just tried accessing the site from a different IP and the 2FA code was accepted

Just as a bit of advice for anyone choosing a 2FA app, you should choose one that allows you to export the secrets, or one that will regenerate the QR code so you can re-scan it. Unfortunately, Authy does neither. There is a way to migrate off Authy, but it might be rather technical for some people. For anyone interested you can check this link if you care: https://x.com/FreedomTechHQ/status/1894226171325280755

FWIW, I use Ente Auth which does this, allows for multiple devices, and has a web interface incase you ever need to view your TOTP codes. The only information you give them is your email address (and a password). It's also free, open source, and is end-to-end encrypted (https://ente.io/auth/). There is no browser integration at this time.

2FAS is also supposed to be another good 2FA app that allows you to export it later if needed as well. It doesn't store any of your info offline, it also has a browser extension, and it syncs using your devices backup method (iCloud or Google I suppose). For my use case however, I wanted something that did store it offline and considering Ente is open source and can be audited, I felt comfortable using it.

To the site admins, the site that generates the QR code has the source posted, so I don't know if it's possible to integrate it into the site, but it's there.

Hope this helps!

30 March 2025, 07:35 PM	#189
WillC "TRF" Member Join Date: Apr 2013 Real Name: Will Location: California & Asia Watch: Batgirl/Moser/GS Posts: 47	I found a solution for anyone that wants to enable 2FA! For anyone that wants to disable/then re-enable or just enable for the first time, here are the steps: Go to your UserCP and then the 2FA section. When you get to the page that has the recovery key, you should see a broken image. Store the recovery key someplace safe (as usual). Now, view the page source. In the page source, you want to search for "chart.googleapis.com". This is what generates the (now broken) QR image. At the end of that line, you should see something like "secret%3DABCD1EFGHIJKL" The part AFTER the %3D is the secret -- ie: ABCD1EFGHIJKL. If your 2FA app allows you to manually enter the secret, then you can just enter it. Or you can use this site to generate the QR code and scan it in: https://stefansundin.github.io/2fa-qr/ You just need to copy/paste in the secret (again, the part AFTER %3D). If you create the QR code, you just keep it as TOTP and do not need to adjust any of the "Advanced Options" For people that want to double check to make sure they have the correct secret, you can copy the entire URL and paste it into: https://www.urldecoder.org/ It should give you the same thing since %3D is unicode for "=" Once you entered the secret into your TOTP app, or scanned the QR from above, it'll generate the TOTP code and you can enable 2FA on your account. If you mistyped the secret, it won't validate when you hit submit. For anyone curious, I just re-enabled 2FA on my account since I switched off my previous 2FA app (Authy) about a month ago to a new one (Ente Auth). I know it works because I just tried accessing the site from a different IP and the 2FA code was accepted Just as a bit of advice for anyone choosing a 2FA app, you should choose one that allows you to export the secrets, or one that will regenerate the QR code so you can re-scan it. Unfortunately, Authy does neither. There is a way to migrate off Authy, but it might be rather technical for some people. For anyone interested you can check this link if you care: https://x.com/FreedomTechHQ/status/1894226171325280755 FWIW, I use Ente Auth which does this, allows for multiple devices, and has a web interface incase you ever need to view your TOTP codes. The only information you give them is your email address (and a password). It's also free, open source, and is end-to-end encrypted (https://ente.io/auth/). There is no browser integration at this time. 2FAS is also supposed to be another good 2FA app that allows you to export it later if needed as well. It doesn't store any of your info offline, it also has a browser extension, and it syncs using your devices backup method (iCloud or Google I suppose). For my use case however, I wanted something that did store it offline and considering Ente is open source and can be audited, I felt comfortable using it. To the site admins, the site that generates the QR code has the source posted, so I don't know if it's possible to integrate it into the site, but it's there. Hope this helps!