TOTP URI 'period' parameter is ignored if value is above 255

jmml97
jmml97
Community Member
in Mac

Hi. I am a long time 1Password user. I recently set up a new service that uses TOTPs.

The problem I am having is that the codes needed for this service are synchronized with a period of 300 seconds (5 minutes).

But when the URI is inputted into the TOTP field in 1Password the generated codes have a period of 30 seconds.

I have tried changing the values of the period to test the problem and have found that codes are generated with the correct period only for period values under 256. Any period value above that is ignored and defaulted to 30 seconds. (Without showing any error or warning).

I am opening this discussion to report this as a bug, as other services (such as Apple Passwords app) accept the 300 seconds period and generate the correct codes. 1Password should to be able to generate TOTPs with periods longer than 255.

Thanks.

1Password Version: 1Password for Mac 8.10.56 (81056028)
Extension Version: 8.10.56.28
OS Version: macOS 15.2
Browser: Safari

Comments

  • Dave_1P
    Dave_1P

    Hello @jmml97! 👋

    Thank you for reaching out! I'm done some testing and I can confirm that 255 is the current maximum period for time-based one-time passwords (TOTP) in 1Password.

    While I can't make any promises, I'm happy to file a feature request with the team on your behalf to look into raising this limit if possible. Can you tell me a little more about the use case for needing such long periods? Most TOTPs default to 30 seconds. Knowing more about the need to a change like this will help our product team prioritize the request.

    -Dave

    ref: dev/core/core#39

  • jmml97
    jmml97
    Community Member

    Hi @Dave_1P!

    Thank you for your answer and your testing.

    I need to use that period because the service I am connecting to uses TOTPs with a period of 300 seconds. It is something the service sets on their end, so** it's not something that I can change on my own**. I agree it's more common to have 30s but in this case they have chosen to use 5 minutes as their TOTP period.

    The way it fails silently on 1Password after 255 and that being exactly 8 bytes it seemed to me that it's a bug. But that's only a guess.

    Thanks for your help.

    José María

  • Dave_1P
    Dave_1P

    @jmml97

    Thank you for that additional information. I've passed this along to the team internally.

    -Dave

    ref: dev/core/core#39
    ref: PB-45544784

  • jmml97
    jmml97
    Community Member
    edited January 14

    @Dave_1P Thank you very much!

    • José María
  • Dave_1P
    Dave_1P

    Thanks again for reporting this! 🙂

    -Dave