Yeah it might make more sense to use slugs instead of the actual group name when storing the key. Right now when you go to the group page you use a slug in the url and then the code grabs the group name using that slug to load the correct group's data.
I'm a huge fan of two-factor authentication, and it's one of those ideas that's been banging 'round my head for the past little while. It's a neat idea and works well in practice because people have always got their phones on them.
SMS 2-factor auth still has one annoying barrier, and that is relying on cell phone networks to deliver the token. I hate that.
I much prefer HOTP (or even better, TOTP), where all I have to do is register the secret once on my phone, and I can use it to derive the token anywhere, even in places where I don't have signal (which annoyingly, happens a lot).