Feature Request - Force OTP Rotation
Some apps, such as Duo, allow users to either wait for the timer to expire or to manually press/tap the "refresh" button to show a new OTP code. 1Password currently only allows users to wait for the timer to expire, which is a problem/headache when using the same login for multiple services where SSO is not an option, such as on macOS with Microsoft Outlook and Microsoft Teams. As the same account as being used for both, and because a OTP code can only be used 1 time, users are forced to wait the 30 seconds for the used code to expire before being given a new code and being allowed to proceed with logging into the second app. If you have even more apps than just those 2 that use the same login, you're stuck waiting for more OTP rotations.
Please add an ability to rotate the code manually.
1Password Version: Not Provided
Extension Version: Not Provided
OS Version: Not Provided
Browser: Not Provided
Comments
-
Hi there @SyberCorp
The one-time passwords generated by 1Password are industry-standard TOTPs (time-based one-time passwords) and work quite differently from some proprietary solutions such as Duo, among others.
TOTPs are generated using the combination of the current time (rounded down to the nearest 30 seconds –
mm:00
andmm:30
) and a "seed", a secret which is typically given to you in the form of a QR code that you scan, or as a string of characters, when you set up an online account for two-factor authentication.As such, because of how TOTPs are designed, they will only ever update every 30 seconds, as per the specification. Although you could in theory move your system clock forward or backward to make it generate another one, the server would reject it as invalid, since it's also basing the challenge response on the current time.
This would be the same in other TOTP-compliant apps, such as Google Authenticator, Authy, and so on. The TOTP standard is what enforces the 30-second rollover, rather than 1Password.
I hope that helps explain why one-time passwords work the way they do, but please let me know if you have any questions. :)
— Grey
0 -
Judging by this part of Duo's website:
While both HOTP and TOTP hardware tokens may be imported for use with Duo, TOTP tokens are not recommended, as full support for TOTP token drift and TOTP resync is not available. As a result, imported TOTP tokens may not work for authentication with Duo Security or may fail to work for authentication after a variable period of time.
For best results, Duo recommends HOTP tokens.
It looks like Duo is strongly suggesting the use of HOTPs (hash-based one-time passwords) which use a totally different (and older) method to generate one-time passwords, in which both the client and the server count up by 1 each time a code is used. (The server may accept a certain number of codes "ahead" of the client in case it regenerates codes more than necessary, but this will have a limit – see below.)
That would account for its ability to generate a new code on demand.
Importantly, HOTPs aren't bound to the system clock. This has advantages and disadvantages compared to time-based one-time passwords:
- Time-based one-time passwords are only valid during their 30-second window, which mitigates against "steal now, use later" attacks.
- Hash-based one-time passwords can be regenerated on demand for when you need more than one within a 30-second window.
- Hash-based one-time passwords are vulnerable to what you might call "regeneration drift" where if the authenticator app regenerated too many times, it may end up generating one-time passwords which are far ahead of what the server will accept. How the server will handle this situation will depend very much on its configuration. (Time-based one-time passwords, conversely, only rely on the system clock being accurate to within about 30 seconds for them to be accepted.)
The TOTP algorithm was built on top of HOTP, and provides the additional layer of security that clock-binding brings, which is why 1Password supports TOTP for the one-time passwords it generates.
If you don't want to wait up to 30 seconds for the one-time password in 1Password to refresh, it may be worth having an additional form of two-factor authentication on hand for those situations, such as a hardware security key, which typically don't have a rollover period, or another authenticator app which can fall back to HOTP.
0 -
So, a different method to achieve the same end result. They even go as far as to recommend NOT using TOTP with their app (see below):
TITLE Does Duo support HOTP or TOTP tokens? ANSWER While both HOTP and TOTP hardware tokens may be imported for use with Duo, TOTP tokens are not recommended, as full support for TOTP token drift and TOTP resync is not available. As a result, imported TOTP tokens may not work for authentication with Duo Security or may fail to work for authentication after a variable period of time. For best results, Duo recommends HOTP tokens.
So, with that in mind, what about a way for users to choose globally and/or individually (per login) whether to use HOTP or TOTP? Both methods seem to have some advantages and disadvantages, so why not let the users choose which one to use rather than deciding for them?
0 -
Sorry for the duplicate responses. The first one looked like it vanished somehow and wouldn’t show even after refreshing and clearing cache, so I posted again. You can delete the first one since it’s improperly formatted anyway.
0 -
So, with that in mind, what about a way for users to choose globally and/or individually (per login) whether to use HOTP or TOTP? Both methods seem to have some advantages and disadvantages, so why not let the users choose which one to use rather than deciding for them?
That's because in general the service/site that you want to enable 2FA for does not support that choice.
Most sites only offer 2FA via TOTP (not HOTP).
0 -
Sorry for the duplicate responses. The first one looked like it vanished somehow and wouldn’t show even after refreshing and clearing cache, so I posted again.
Apologies for any troubles. I freed your message from our spam catcher earlier.
0 -
because a OTP code can only be used 1 time, users are forced to wait the 30 seconds for the used code to expire before being given a new code and being allowed to proceed with logging into the second app.
Interesting! The TOTP specification does indeed state this:
The verifier MUST NOT accept the second attempt of the OTP after the successful validation has been issued for the first OTP, which ensures one-time only use of an OTP.
However, I can log in into outlook.com in one browser (Safari) and account.microsoft.com in another browser (DuckDuckGo) on the same iPad, using the same credentials (including the same OTP!), within the 30 seconds timeframe!
One can argue whether those two different Microsoft services are the same verifier…
Did you try logging in into your two App with the same OTP within 30 seconds? (I’m curious what happens!)
0 -
@XIII Of course. That’s why I even brought this issue up in the first place. When SSO is not an option, such as when you’re on macOS and have MS Office and MS Teams installed as apps (not using the web apps via browsers), you have to log into each app individually. If you attempt to use the same TOTP for both apps, it displays a message stating the code has already been used and to try again with a new code, which is where the annoyance of having to wait 30 seconds comes in).
0 -
Thanks for the feedback. As XIII mentioned, a service would need to support HOTP in order for you to use that when you setup two-factor authentication for that service.
That being said, I've filed a feature request on your behalf to have our product team look into supporting the storage of one-time passwords that use HOTP in the future. 🙂
-Dave
ref: 34859037
1