TOTP Off
Comments
-
@prime: Jeez. I've definitely had my share of issues with system clocks, but that's a new one to me. I guess just add "fix time" to the weekend update checklist. :lol:
As Rick said earlier, if there's an issue with the TOTP generator code, it's definitely worth investigating. But if you're seeing the same codes just staggered a bit time-wise, that's unfortunately just part of how the standard works, being time-based.
If you are seeing something being generated completely incorrectly, save the TOTP secret, disable TOTP on the account, and then give us the now-invalid TOTP secret so we can test it to figure out what's going on. :)
0 -
@brenty I wish I could take a photo of all 3, and maybe when I have time I can. One thing I do know, saving the 2fa code (that code when you can’t use the QR code) works and I still save it. Just. It sure why it’s off. Just now I logged into 1Password.com and the 2fa code automatically loaded, but did not work.
I only know about the clock because of the 2fa :lol: one day it wasn’t working at all and noticed the time. Fix the rims, All was working.
0 -
:) :+1: If you're able to (when you have time -- sorry, pun) provide an invalidated TOTP secret and/or QR code to test with, I'll be happy to look into it. :)
0 -
So something interesting. I use the TOTP a lot for Facebook because I use Firefox Focus for it, so I always need to log in. The TOTP is always correct, no issues at all. When I log into my 1Password account, that's when I have an issue.
0 -
That's not super surprising. There's a fair bit of variation, since the spec allows for this. On the one hand, the window for moving from one code to the next is not necessarily the same for each service. From the RFC:
We RECOMMEND a default time-step size of 30 seconds. This default value of 30 seconds is selected as a balance between security and usability.
But that's just a default/recommendation. There's a lot of flexibility to change the time frame of codes being generated, and also how long to accept them:
Because of possible clock drifts between a client and a validation server, we RECOMMEND that the validator be set with a specific limit to the number of time steps a prover can be "out of synch" before being rejected. This limit can be set both forward and backward from the calculated time step on receipt of the OTP value.
They also give an example:
If the time step is 30 seconds as recommended, and the validator is set to only accept two time steps backward, then the maximum elapsed time drift would be around 89 seconds, i.e., 29 seconds in the calculated time step and 60 seconds for two backward time steps.
That's a good one, I think, because it illustrates that even a small differential between client and server can result in a mismatch. The window can be as wide as ten minutes...but there are good reasons to keep it small:
a larger time-step size exposes a larger window to attack. When an OTP is generated and exposed to a third party before it is consumed, the third party can consume the OTP within the time-step window.
Half snarky, half serious, it doesn't surprise me that Facebook might have a wider window for accepting codes. They just have very different priorities. :)
0 -
Half snarky, half serious, it doesn't surprise me that Facebook might have a wider window for accepting codes. They just have very different priorities. :)
:lol:
I'm trying to give you guys as much info as I can. I just think it's strange...
Soon when things settle down, I'll move to the Yubico key, and this will be a moo point... ya know, a cows opinion... it doesn't matter... moooo (for anyone who watches Friends will get this reference)0