• Install Google Authenticator

  • Visit the "Install Two Factor Authentication" page

  • Display the secret key there


    Display the "Panic" OTPs there so that the user can print them out on paper and store them in a secure location:

      my @recovery_passwords = generate_recovery_strings( 3 );
      for my $pass ( @recovery_passwords ) {
        print $pass, "\n";
  • Photograph the QR code


    Manually enter the key into the Authenticator

  • On the Login page enter the password and the OTP code from the Authenticator or on the Recovery page, enter one of the panic keys.


The password should be stored as a hash.

The shared authenticator secret needs to be stored as plaintext.


As phones tend to get lost, the recovery passphrases become important. They also are password equivalent. So, my recommendation is to store the recovery passphrases only as hashes, just like you store passwords.


At least on iDevices, using < or > made registering the generated accounts through QRcodes fail. The QRcodes work with Android devices.


TOTP: Time-Based One-Time Password Algorithm