one-time password has duplicate values

joseph_fsm
joseph_fsm
Community Member

I've been updating/moving my 2FA from an authenticator to 1Password. Since it's easier to scan with my phone, I prefer to enter the codes this way. However, today I noticed that the resulting code on my PC is different than on my mobile phone.

This ought not be so. I think I found a bug.


1Password Version: 8.4.1
Extension Version: Not Provided
OS Version: Windows 10 21H2
Referrer: forum-search:one-time password duplicate values

Comments

  • joseph_fsm
    joseph_fsm
    Community Member

    false alarm! my PC won't keep the current time no matter how hard I point my finger at it. This was the culprit...

  • ag_ana
    ag_ana
    1Password Alumni

    Thank you for the update @joseph_fsm!

  • molgar
    molgar
    Community Member
    edited December 2021

    Hi, I am having this same issue. I can´t change either the phone time, or the PC time (as it is company managed). Shouldn't 1P be able to show the same 2FA code regardless of the device time? I don´t recall this happening in previous versions.

  • ag_ana
    ag_ana
    1Password Alumni

    @molgar:

    I can´t change either the phone time, or the PC time (as it is company managed). Shouldn't 1P be able to show the same 2FA code regardless of the device time?

    No, because the generated TOTP depend on the system time. So if the time is different on two devices, the generated codes will be different.

  • molgar
    molgar
    Community Member

    So that means that any machine generating a TOPT that is not well synced to the (atomic?) time would inevitably yield a wrong code. It would be nice of 1P to ensure the code is correct regardless of what the machine time is, as machine time can sometimes be wrong for whatever reason.

    I guess this would be a feature request.

    Thanks,

  • joseph_fsm
    joseph_fsm
    Community Member

    I'm no programmer but I think authenticators work based upon the correct time and time zone where the end user is.

  • ag_ana
    ag_ana
    1Password Alumni

    @molgar:

    So that means that any machine generating a TOPT that is not well synced to the (atomic?) time would inevitably yield a wrong code.

    Correct, the time needs to be exact. The whole TOTP idea is based on this assumption.

    It would be nice of 1P to ensure the code is correct regardless of what the machine time is, as machine time can sometimes be wrong for whatever reason.

    This is unfortunately not possible. TOTP stands for Time-based One-Time Password, so you cannot just change the codes to make them "correct", the codes will be correct if the time on the device is also correct. So I don't think there is anything we can do here, since that is how the algorithm is supposed to work, @joseph_fsm is right here :+1:

  • molgar
    molgar
    Community Member

    Thanks @ag_ana for the response.

    so you cannot just change the codes to make them "correct", the codes will be correct if the time on the device is also correct

    Of course, I did not mean for 1P to magically change the OTP to the correct one. But rather to have 1P maintain its own time service, and not rely on system time. This would seem logical for systems such as MS Windows where the computer admin can arbitrarily change the system time.

    I´m not technical, but it seems to me that it would not only make sense, but that it should be possible (at least on MS Windows).

This discussion has been closed.