1PW iOS's MFA code for AWS login is not being calculated correctly

theschles
theschles
Community Member
in iOS

Hi all,

A couple weeks ago our DevOps team rotated the MFA code for our root AWS login.

We get to the point where we scan the 2D barcode.

I scan the 2D barcode with my iOS 1PW app -- which at the time it was completely up-to-date.

Two other members of my team scan the 2D barcode with Microsoft Authenticator on their phones (I think at least one of them is also running iOS).

The resulting generated MFA code from my iOS 1PW app was INCORRECT.

WHEREAS the resulting generated MFA code from my coworkers' Microsoft Authenticator was CORRECT.

We even waited for a couple of the 30-second code rotations. iOS 1PW was still incorrect.

We then did it again -- this time I scanned the 2D barcode both with iOS 1PW AND iOS Microsoft Authenticator.

SAME SITUATION:

  • My iOS Microsoft Authenticator-generated codes were CORRECT
  • My iOS 1PW-generated codes were INCORRECT

Up until now, my iOS 1PW-generated codes have been JUST FINE. Did AWS change their algorithm?

1Password Version: 8.10.50
Extension Version: Not Provided
OS Version: iOS 18
Browser: Not Provided

Comments

  • GreyM1P
    GreyM1P

    Hi there @theschles

    Chances are far more likely that your system clock on your iPhone is wrong. One-time passwords are generated based on the clock on the device in question, so if your one-time password is wrong, that suggests the clock is wrong, especially if other people using the same secret are seeing correct codes.

    ☞ Go to https://time.is/ on your iPhone to see how accurate (or not) the system clock is, and adjust it if necessary in the Settings app > General > Date & Time.

    Hope that helps! :)

    — Grey

  • theschles
    theschles
    Community Member
    edited November 9

    Hi @GreyM1P ,

    1) As of this moment, my iPhone clock is completely in sync to the second with https://time.is/

    2) The TOTP codes generated by 1PW and by Microsoft Authenticator would have been generating off of the SAME iPhone hardware clock, correct?

    So why would 1PW's generated TOTP code be WRONG...
    ...and the Microsoft Authenticator be CORRECT?

    Hmmm...when I posted yesterday, I hadn't compared the generated codes between 1PW and Microsoft Authenticator since when the issue happened on October 28, 2024.

    As of this moment...they match?!?

    Was there an update to the 1PW's TOTP generation code between then and now?

  • GreyM1P
    GreyM1P

    @theschles

    As of this moment...they match?!?

    That's great! I can't say for sure what happened previously, but if I had to take an educated guess it might be that your iPhone's clock re-synced with internet time since then.

    So why would 1PW's generated TOTP code be WRONG...and the Microsoft Authenticator be CORRECT?

    It could be (although I don't speak for Microsoft here of course) that Microsoft Authenticator is using internet time rather than the local clock for its source of time. That relies on an internet connection at all times, of course – if that is the case – whereas 1Password uses the system clock which doesn't.

    Generally speaking, the system clock on most devices is set automatically according to internet time, so although I can't say for sure what's happened in your case when it wasn't working, it sounds like it is now.

    Keep an eye on things and let us know if you run into any similar trouble in the future.