Customize QR code data to uniquely identifying a system

I am working on enabling MFA using TOTP on keycloak.

2FA with Google Authenticator work very well, but once a QR code is scanned, its saved as <realm_name>(username) in the Google Authenticator. This poses as a blocker incase I try scanning Keycloak present on multiple systems having same realm and username. For every scan of new QR code if the realm name and username is same then the Google Authenticator replaces the previous instance of TOTP.

Is there a way wherein I could configure Keycloak to return a user specified string and username through QR code instead of default <realm_name>(username), so that same Google Authenticator application can be used to scan QR code from multiple systems all having same usernames and realms configured over them.

.

The QR codes are built internally and then sent to the login and account themes to be rendered. The code that builds the QR code is here keycloak/TotpUtils.java at main · keycloak/keycloak · GitHub and that code is used in the TotpBean in each theme. If you wanted to change that, you could probably build a custom freemarker template provider, update the TotpBean that gets returned, which would render whatever QR code you built.

I don’t know how the Google Authenticator app gets the <realm_name>(username) out of the QR code, but my guess is you can control that.

That is the direction I’d start investigating, if you really need to do this. However, this is pretty exotic customization for a somewhat weak use case.