otp from mac works but otp from android app doesnt?
otp from mac works but otp from android app doesnt!
just searched a bit and seems timing mismatch on devices.
Really not sure why I am forced to keep all my devices in same time zone. i am frequent traveller and keep my mac to auto update time based on local but phone is my too private device and keep my home country time.
Any clean solution please?
1Password Version: Not Provided
Extension Version: Not Provided
OS Version: Not Provided
Browser: Not Provided
Comments
-
The principal reason a 2FA code doesn't work is that your computer's time is slightly off. 2FA codes are generated by your device using the current time, and they change about every thirty seconds. If your computer clock drifts/differs from the server, a wrong code will be generated. Another way to put it is with the clocks on your computer, and the server differs, and a mismatch in the 2FA codes occurs, resulting in an inability to log in.
Ensuring the auto updating of the time is the path forward on the phone. This is not something that is specific to 1Password. You would surely have the same sort of trouble no matter any service you utilized if the time does not match.
0 -
I understand the point and i have had my share of bad time of doing research on that.
My question is what can be done to resolve this, as i dont want someone dictating me what i should and should not do to whichever device i choose to use 1password with.
And yeah, would you list me down any common service that people need to be forced to set time by others?
0 -
This is not something that we mandate. This is more on how the standard is created. Codes are based off of the device time. If the device is using an incorrect time then the code will be generated wrong causing a code mismatch resulting in a failure to login.
"Time-based one-time password (TOTP)"
0 -
Just wondering, if its better name would have been "Device Time-based One Time Password(DTOTP)", instead of calling it simply TOTP, as I believe many people would consider it as "Server Time-based One Time Password(STOTP)", but yeah that's for them who coined the term.
I agree it is not mandated by 1password and so are the normal credentials too. However, people look out for convenience and better experience, probably the very foundation of the existence of such tools. In this case then, platform versatility gets limited I believe, as I think no time is incorrect, its just the matter of place where it is correct and not sure why people won't sacrifice the convenience of storing it there when the sometimes incorrect and sometimes correct code(depending on device) may confuse them, instead of a tool dictating how to control devices.
Also, not sure if it is really challenging(other than it won't work without internet and mostly people will internet to use their service where they plan to use the credentials) to use just single source of truth(server time).
0 -
1Password reaching out to a server for the time doesn't seem like the right solution since, as you noted, this would prevent you from using your one-time passwords if you didn't have internet access on your device or if the server was down. Instead 1Password works locally, for stability and to protect your privacy, by using your device's functions as much as possible.
As Tommy mentioned, TOTP is an industry standard that 1Password supports but we didn't create the standard.
We are working to move beyond TOTP with the introduction of passkeys. Passkeys offer a convenient way to login that is more secure than using passwords. TOTP two-factor authentication was designed to add an additional layer of protection to passwords against phishing. Passkeys are already resistant to phishing and can be considered to have the same level of security as a password plus two-factor authentication, with a lot less friction. You can read more about passkeys here: Save and Sign In with Passkeys Using 1Password on the Web and iOS
-Dave
0 -
I think primary reason people will use 1password is to input login info to some internet based services, so basically all will have to have internet even before going to their login pages. Very small cases, people will use credential with apps that doesn't require internet to work.
Server(of an org, that too of reputable one like 1password) getting down is also very unlikely and if it does, I haven't come across, so far, any public facing service to exist without redundancy planned already to handle disaster/failover situations.
But, yeah, I and most people will do like to have this generated at device locally without reaching to internet. However, this convenience, perhaps we should be ready to sacrifice if we want kick out the inconvenience of forcing our all devices (wherever we want to use 1password) to be in same timezone always. Also, not to mention, consumer devices are much inferior compared to servers, allowing the possibility of device clock getting offset after few years.
And ofcourse thanks for the info on passkeys taking over TOTP in future.
0 -
Thank you for the discussion. The future of authentication, with new technologies like passkeys, looks bright. Hopefully signing in to services becomes easier and easier as time goes on. 🙂
-Dave
0