Describe the bug

The QR code is working for google authenticator and microsoft authenticator apps, but not for the 2FAS authenticator app, which reports:

This QR Code does not work!

If you manually add the shared secret key it works.

Steps to Reproduce

1. Install 2FAs app on phone
2. Create a user
3. Edit user
4. Go to Authenticator App section and scan QR code
5. see error message on phone.

Screenshots, screen recording, code snippet

It looks as though the URI is created with the wrong function to create the QR code. It is interesting that both google and microsoft ignore this.

I guess 2FAS is just a bit more fussy and doesn't like the '&' being converted into '&#O38'

The issue appears to be in this file:

wp-content/plugins/two-factor/providers/class-two-factor-totp.php

and can simply be fixed by changing esc_url to esc_url_raw before passing onto the qr code rendering code.

Here's a diff of a change I made which resolved the issue for me, I also tested it with google and microsoft authenticators and the new format qr codes worked with both.

--- wp-content/plugins/two-factor/providers/class-two-factor-totp.php	2025-07-29 16:10:32.646839477 +0100
+++ wp-content/plugins/two-factor/providers/class-two-factor-totp.php.new	2025-07-29 16:12:38.596136554 +0100
@@ -255,7 +255,7 @@
 		 * @param WP_User $user     The user object.
 		 */
 		$totp_url = apply_filters( 'two_factor_totp_url', $totp_url, $user );
-		$totp_url = esc_url( $totp_url, array( 'otpauth' ) );
+		$totp_url = esc_url_raw( $totp_url, array( 'otpauth' ) );
 
 		return $totp_url;
 	}

Environment information

• wordpress version 6.8.2
• two factor version 0.14.0
• android handset using google, microsoft and 2FAS authentication apps.

Please confirm that you have searched existing issues in this repository.

Yes

Please confirm that you have tested with all plugins deactivated except Two-Factor.

Yes