TOTP implementation is incomplete
The data contained in one of your QR codes for setting up 2FA via TOTP decodes to something like this:
otpauth://totp/screenconnect?secret=123456789ABCDEF
On the other hand, if you enable 2FA on a service like Gmail, the data in their QR code decodes to something like this:
otpauth://totp/Google%3Ausername%40gmail.com?secret=123456789ABCDEF&issuer=Google
That's URL encoded, human readable is this:
otpauth://totp/Google:username@gmail.com?secret=123456789ABCDEF&issuer=Google
It's pretty plain that you guys are omitting the account information and instead are doing the bare minimum to even make the TOTP QR code work.
This needs fixed. Here is more documentation on the subject: https://github.com/google/google-authenticator/wiki/Key-Uri-Format
So why is this a problem? The account information helps TOTP apps distinguish between - you guessed it - different accounts! I have two ConnectWise Control instances setup for two different companies, and of course my logins and 2FA are different between them. However, since the account information isn't part of the URL contained in your QR code, Microsoft Authenticator doesn't have a way to distinguish them. It thinks I'm trying to update my 2FA for "screenconnect" and obliterates my 2FA for the other account. Thus it is currently not possible to have multiple accounts for ConnectWise Control setup in Microsoft Authenticator. I'm forced to use two different Authenticator apps instead. Also, new users won't be aware of this (like I wasn't!) and they may lock themselves out. Actually, it's very easy to create a malicious QR code to erase your 2FA code from Microsoft Authenticator. Just try setting up 2FA with Microsoft Authenticator in control, then scan this code:
Boom, your 2FA for ConnectWise Control is now obliterated, and I didn't even need to know your username to do it. See how bad this is?
You might say "just use Google Authenticator instead of Microsoft Authenticator" - that's not a solution. There is no method to backup your 2FA codes when you migrate to a new phone, or (worse) break or lose your current phone. A phone lasts, what two years? So you're guaranteed to lose access to your accounts if you use Google Authenticator. On the other hand, Microsoft Authenticator provides backup capability and it actually works.
Customer support service by UserEcho
Thank you for taking the time to write this up!
I have this same issue.
Two years and this is STILL broken? Why do you guys not generate a proper QR code like everyone else? This is not hard.
The least you could do is just copy the open-source code from here: https://freeotp.github.io/qrcode.html
Seriously, this is such a pain to implement currently with new users. Fix it!
I saw the update and come to comment... oh wait... I already had 2 years ago... how is this still a thing when it's a 20min at most fix.
Some years have passed and it's worth noting that Google Authenticator now does back up codes to the cloud as well as provides exporting capabilities. It may not be the best choice, others have arguably better export solutions, but it's better than companies like Authy that lock you in with no way to escape. Google's was just being incomplete or "secure" at the time, Authy's is an intentional decision.