What Is Inside the QR Code
A 2FA QR code usually encodes an otpauth link. It includes the OTP type, service name, account name, secret Base32 token, and sometimes parameters such as code length or refresh period. The app reads these values and adds the account.
The user sees only an image, but the QR code effectively contains the secret. A screenshot of the QR code after setup should be protected like the token itself.
How QR Connects to TOTP
When Google Authenticator, Microsoft Authenticator, or an online authenticator receives the secret from the QR code, it can calculate TOTP. The server keeps the same secret and compares the code submitted by the user.
If the QR code belongs to another account or was replaced during a reset, the generated code will fail. Scan the correct QR code and save recovery codes.
Manual Entry
Many services show a manual key next to the QR code. This is usually the Base32 token. It can be entered into an app or generator when a camera is unavailable.
Manual entry requires care: extra spaces, similar-looking characters, and incomplete copying all cause TOTP errors.