Bug?: Editing a OTP shows the code for previous entry after saving

port9
port9
Community Member

I have been testing a websites 2fa system and had trouble at the stage of scanning the qrcode and entering a verification code. But I think it's 1Password showing the OTP prior to the edit once the edit is saved, and not refreshing the code. This only is a problem when editing an existing record with an existing OTP entry, obviously.

So if I go to my login entry in 1password, the OTP section shows 449280.
If I edit the entry, select the OTP section and press the camera icon, and scan the new QRCODE on the screen, (which contains a new secret) - when I press save, go back to the view mode, and still shows 449280 (assuming I was quick at editing and did it within the 30 second window).
If I leave the view screen, and then go back into the same entry, I see a new code, which works. 449280 did not verify on the website, but this new code does.

If I am slower at editing the entry, it doesn't matter, the number will change every 30 seconds as usual, however it is working on the old secret, and not the new one and shows new numbers for the old secret series.

If my process to edit an entry is different, where by I edit the entry, delete the OTP section then add another, use the camera and save, it is fine.

Hope that is explains it, let me know if you need more information.


1Password Version: 8.10.46
Extension Version: Not Provided
OS Version: IOS 18.0.1
Browser: n/a

Comments

  • Hello @port9! 👋

    I'm sorry that 1Password isn't displaying the new one-time password (OTP) when you update a login. I've done some testing on my own iPhone and I haven't been able to reproduce the issue. Can you tell me if you can still reproduce the issue using 1Password for iOS 8.10.48:

    If you can still reproduce the issue then does this occur on every website? Or have you only seen the issue on one specific website?

    -Dave

  • port9
    port9
    Community Member

    Hi Dave,

    Thank you, I can still see the wrong behaviour, on 8.10.48 - let me perhaps give an easier way to reproduce it.

    1) Create a new login in 1password.
    2) Ignore username and password, just add a one time password field
    3) Copy and paste this into the field:
    otpauth://totp/test?secret=NYMURJO6WHUVQ66FOT7ISBAUYIU6777X&issuer=test
    4) Save. OTP is viewable, and changes every 30 seconds as expected.
    - Next bit, you need to be quick and do it with a 30 second window, so start when the OTP changes
    5) Note the OTP code (below, my example)

    6) Edit the entry, change the OTP field to
    otpauth://totp/test?secret=YLHX5ON3ZBDWXFOJSBF7VVTQR653QRKT&issuer=test
    7) Save it. This now has a different secret, so you would expect a different number, instead I see the same number which is the wrong OTP for the new secret:

    8) Exit the entry, and go back in. You actually see the correct new OTP for the new secret

    So as you can see 1Password is not showing the new codes after saving without exiting and re-entering the entry. When I was doing it previously, I was filling the new secret by scanning with a camera of course, but by using the method above, I can speed it up so hopefully you see the problem. When the code changes after 30 seconds, you don't notice that the same code sequence for the old secret is still showing.
    I hope that helps and you are able to re-create this. Thank you for looking at it.

  • @port9

    Thank you for the detailed reproduction steps! I confirm that I can reproduce the issue on my device as well using your steps. I've filed an internal work item with out development team so that they can investigate this further and get it fixed.

    For the time being, viewing another item and then going back to the item that contains your one-time password is the best workaround. I'm sorry for the inconvenience.

    -Dave

    ref: dev/core/core#33714