Is there a way to expire a QR code? If we email the QR code to a person’s email upon registration, what prevents someone from getting a hold of that token later on and adding the same token and using it to gain access?
The KeyURI as defined by Google is designed for a most convenient user experience and for the least security.
The KeyURI contains the unencrypted, plain test symmetric key for your OTP token.
If it is a TOTP token everyone ever finding the QR code in the future will be able to scan a 1:1 copy of this (weak) 2nd factor.
It is immanent to protect and destroy the QR code.
This is by design. As mentioned by Google.
If you want a bit more secure enrollment, use the privacyIDEA Authenticator App and do 2step enrollment with privacyIDEA.
If you want an even safer enrollment use Push tokens.
privacyIDEA is open and free. And it leaves you the choice. There are myriads possibilities to design your enrollment process. There is not the one true way.
A core task for the company behind privacyIDEA is to discuss and design such enrollment process with customers. Each one is a little bit different, since every scenario can have slightly different aspects and requirements.
privacyIDEA e.g. offers the “registration token”. This can be sent via Email. The user can use this one to login for once and then enroll a smartphone TOTP without the QR code being sent.
You could however use SMS- or Email-Tokens to do so…
You automate things. Disable freshly enrolled tokens.
Activate tokens after some certain event.
…but you can not invalidate this convenient, evil QR code!