Note that there are two kinds of backups possible for TOTP secrets:
1. Backups that are specific to the app that made them. They can be used to restore the secrets to that same app on a new or replacement device, but might not help if you want to migrate to a different app.
2. Backups that can be restored to other apps.
If you aren't sure you are going to stick with the same TOTP app long term this could be important.
Sometimes there are third party tools that can take #1 type backups and give you back the secrets in a form suitable for other apps.
For example, Google Authenticator can export the secrets in the form of a QR code that contains the secrets for multiple account. Another instance of Google Authenticator can read that, but other TOTP apps might not be able to. But this tool [1] knows how to take the information in that QR code and decode it and split it into the individual secrets for each site. It can even generate QR codes of those for scanning into another TOTP app.
If you want #2 type backups that just work with most TOTP apps, there is a fairly easy way to get them. Whenever you set up a new account and a site gives you a QR code, simply take a screenshot before using that QR code to finish setting up the new account.
Store your collection of QR code screenshots somewhere safe.
If you ever want to migrate to a new TOTP app or to the same app on a new device open those saved screenshots and scan the codes.
If you've got an image display program that will let you open many at once restoring can be pretty fast. On my Mac for example I just do "open *.png" in the place I have the screenshots. That opens them all in Preview, with each one being a separate page. Then I tell preview to show one page at a time.
Then it is a matter of scanning one, hitting "page down" on the keyboard, and repeating until they are done. After two or three I'm in the groove and it goes pretty fast.
> backups possible for TOTP secrets:
>
> 1. Backups that are specific to the app that made them
I never thought about that. I always backup the key before I first use it, when it's shown for the very first time. Heck, I've written a CLI / text TOTP app (using some Java TOTP library) for my own use (fully offline / airgapped / paasword protected / showing six codes at once for the same code [+1 hour / now / -1 hour and previous code / current code / next code] and which also shows a public/commonly used example code, which is convenient to diagnose sync/clock issues).
> But this tool [1] knows how to take the information in that QR code and decode it and split it into the individual secrets for each site.
Like JBSW Y3DP EHPK 3PXP ?
In my experience every site that shows the QR code offers the possibility to see that secret (and those that don't are misleading users into thinking it's more complicated than it is).
A TOTP secret is just that: 16 or 24 or whatever characters. The QR is just an encoding of these characters. The "issuer" serves no role other than autofill the name of the service for you (and you're not forced to use the issued nameL you can use any name you want).
I never ever scanned a QR code to configure 2FA / TOTP for any site. I write the 2FA code down, then encode what I've written down (in at least two devices).
1. Backups that are specific to the app that made them. They can be used to restore the secrets to that same app on a new or replacement device, but might not help if you want to migrate to a different app.
2. Backups that can be restored to other apps.
If you aren't sure you are going to stick with the same TOTP app long term this could be important.
Sometimes there are third party tools that can take #1 type backups and give you back the secrets in a form suitable for other apps.
For example, Google Authenticator can export the secrets in the form of a QR code that contains the secrets for multiple account. Another instance of Google Authenticator can read that, but other TOTP apps might not be able to. But this tool [1] knows how to take the information in that QR code and decode it and split it into the individual secrets for each site. It can even generate QR codes of those for scanning into another TOTP app.
If you want #2 type backups that just work with most TOTP apps, there is a fairly easy way to get them. Whenever you set up a new account and a site gives you a QR code, simply take a screenshot before using that QR code to finish setting up the new account.
Store your collection of QR code screenshots somewhere safe.
If you ever want to migrate to a new TOTP app or to the same app on a new device open those saved screenshots and scan the codes.
If you've got an image display program that will let you open many at once restoring can be pretty fast. On my Mac for example I just do "open *.png" in the place I have the screenshots. That opens them all in Preview, with each one being a separate page. Then I tell preview to show one page at a time.
Then it is a matter of scanning one, hitting "page down" on the keyboard, and repeating until they are done. After two or three I'm in the groove and it goes pretty fast.
[1] https://github.com/dim13/otpauth