TOTP generates incorrect number
I'm trying to use 1Password's new TOTP generation/two-factor authentication feature for an account, but the number it generates is completely different from the number the official app generates.
The official app is called DUO, and it provides a QR code which I scanned.
Comments
-
Hi @timothymh,
I found an app called Duo Mobile, is that the one you're referring to?
Now it's only a single attempt but I copied over the secret from an item in my test vault to this Duo Mobile app and both are returning the same code. It doesn't mean to say there might not be an issue here but I can think of a couple of other aspects to confirm first.
Are both your Mac and iOS clocks correct? Normally they should be querying a time server on a regular basis to ensure their clocks haven't drifted. If for some reason one of your devices wasn't though and there was a difference between your Mac and iOS device then it could explain this. As the OTP codes are only good for 30 seconds if there was enough drift then they would never show the same code.
Another possibility is there is more than one protocol out there for TOTP. I notice the Duo Mobile app supports one called Duo Security, possibly also known as Duo Push. Assuming the secret or key used is of the same form it could be you have an entry for this Duo Push on your iOS device giving a correct code but when entered into 1Password will give the incorrect code because we don't support this other protocol.
Could either of these explain what you're seeing at all?
0 -
@littlebobbytables: yes, my clocks are correct. As you suggested, I expect it's due to a non-standard protocol. Here's what I see after entering my username and password: http://cl.ly/acGz
It's not simply using Duo as a code generator, it is specially linked to the app such that it can send push notifications and such. There is one option to generate a code, for if your phone is not connected to a network, and when setting that up it provides a QR code which can be scanned with the Duo app. I tried scanning it with 1Password and got the results I mentioned.
Would you need to work with Duo to support this feature? (Is there a way to reverse engineer the algorithm given the QR code and several outputs?)
0 -
Hi @timothymh,
It does sound like we've found the root of the issue. At the moment we support just the TOTP as specified in RFC6238. It's the one used by Google and the most common of the protocols used. Support for any other protocols would require access to the specification but it would also need to be popular. As you can imagine we get a lot of requests for feature requests and improvements. While we would love to add everything pragmatics does come into play and we sometimes have to ask, would this be used by more than a handful of our users or would many make use of it?
It might be Duo are incredibly popular and we should look at adding support, assuming their work is either documented or they are willing to work with others. It might be they expect their users to use their app though. I'm not in a position to say as your post was the first I've heard of them. If I'm correct it's aimed as some sort of unifying TOTP service, possibly aimed at system administrators?
0
