Wrong OTP on mobile.

mb10101
mb10101
Community Member
edited March 2015 in iOS

1Password Team,

I emailed on this a few days ago, but haven't heard anything back as of yet. This is a major issue and prevents successfully logging on to OTP-protected websites using the codes generated from mobile. Below is the text of the email, with edits for clarification:

I have two iPhones, both synced via Dropbox. Both apps are up-to-date. Both of them say display the same OTP PIN and the ticking clocks are in sync when compared to each other. These codes are being rejected as incorrect by websites when I try to log in.

When I go to the desktop app, which is also synced to the same Dropbox and also up-to-date, it shows a different OTP code. The ticking clock is slightly off from the iOS app. This is the OTP code that works.

Both the desktop and iOS devices have the correct date/time. Both the desktop and iOS have the same OTP secret.

EDIT: This does not affect ALL website OTP codes, only some of them.
Affected codes include: Outlook.com, Dropbox.com
Unaffected codes include: Wordpress.com

Something is amiss, and I do not like. I suspect the issue has to do with DST change. I am in US/Eastern time zone.

Any assistance you could provide would be appreciated. I am happy to provide any other information that may be of use.

Edit for version numbers:
1Password Windows 4.2.0.548
1Password iOS 5.2.1
Dropbox iOS 3.7
Dropbox Windows 3.2.9
iOS 8.2

Comments

  • mb10101
    mb10101
    Community Member
    edited March 2015

    1Password Team,

    I suspect I found the issue. Here's what I've been doing, and how I found it.

    When using the desktop app, and activating OTP on a website, I would show the secret, and then copy/paste the secret into 1Password to set up the OTP token and verify the code. This worked great. I did use the camera to set one up, but c'mon! It's, like, waaaaaay over there and stuff. That's too far. I haz the lazy. :P

    I compared the affected/unaffected codes and noticed that the affected codes all had spaces replaced by percent-two-zero in the secret= parameter. When I edited the secret to remove these characters, so that the secret was a set of characters with no space delimiters, saved, synced, and compared iOS to desktop, they were now in sync, and the codes were valid again.

    This appears to be a bug in the way the OTP secrets are processed on the iOS app.

    Please, please, please, for the love of all 1Password users everywhere, fix this promptly. :)

  • Ben
    Ben

    We do have a bug filed that I believe is likely related to this issue. I'll add your comments to that for our developers to review. Thanks!

    ref: JLY-86449-724

    ref: OPI-2311

This discussion has been closed.