Bug on one time password

bigboyq

I am using Authy and 1Password for two-factor step authentication manager, both of them works on Google
But while I am using both of them on Bandwagonhost, found 1Password face wrong code, but Authy shows the right one
One example here:
otpauth://totp/KiwiVM:VEID: 168168?secret=XXXXXXXXXXXXXXXX&issuer=KiwiVM

secret and VEID was masked!

Please fix it, thanks

littlebobbytables

Hi @bigboyq,

It isn't clear from your post if that secret was a fake one or not. On the assumption that it wasn't I urge you in the strongest terms to disable 2FA, and then re-enable it. This will hopefully force the generation of a new secret which you will then need to save.

As for the issue, I tried creating an account at BandwagonHOST but I couldn't see any 2FA to enable. Can I ask what the 2FA is in relation to?

bigboyq

Yup, the secret I supplied is masked, please leave an mailbox or just give me your mail, I will send your the real one. 2FA of bandwagon host is under Services-My service-KiwiVM control, maybe you should create an service first.

littlebobbytables

Hi @bigboyq,

Thank you for the image. Well I've done a little tinkering around and here's what I found.

With the QR code you supplied, both the Authy and Google Authenticator iOS apps refused to add the TOTP saying it was an invalid code. 1Password scanned the otpauth path but generates a different code than if you strip away everything but just the secret (the important bit).

I tried various adjustments and what I discovered was if I removed the space in the path that 1Password would then display the correct TOTP code.

Here's a fake URL based on format used by KiwiVM. @bigboyq, the user ID and the secret were randomly generated and replaced their respective parts in the example you sent me.

KiwiVM otpauth used to generate QR code
otpauth://totp/KiwiVM:VEID: 465300?secret=JL3THERPIOM22NF4&issuer=KiwiVM

Resulting QR code

This behaves in the same manner for me, Authy and Google Authenticator refuse to add it, citing invalid code. 1Password will add it but display the wrong TOTP code.

KiwiVM otpauth used to generate QR code (space after VEID: is removed)
otpauth://totp/KiwiVM:VEID:465300?secret=JL3THERPIOM22NF4&issuer=KiwiVM

Resulting QR code

Authy, Google Authenticator and 1Password will successfully scan and add and all will show the same TOTP code.

Here's an example of all three on a test Login item

Now I could be wrong, but my initial investigation would suggest KiwiVM are generating an invalid URL by using a space instead of encoding the space as %20 and indeed, if you use otpauth://totp/KiwiVM:VEID:%20465300?secret=JL3THERPIOM22NF4&issuer=KiwiVM it generates the following

which also works in all three. So we could improve our one-time password by more error checking but I think this one may need to be addressed by KiwiVM.

Let us know any thoughts you have on the matter :smile:

ref: OPI-2311

bigboyq

Very appreciate on wot u have done, actually, I forget to mention that, as you found, Authy failed on scan the code, but I manually coded the secret, resolved problem.
After your explain, I knew the problem, and I fixed it manually in 1Password.
There should be two thing I should say:
1. There is a bug inside QR code generation of bandwagonhost, I should submit a ticket let them know.
2. I think there is also a bug inside 1Password, no matter what the QR code says, 1Password should only focus on the characters between "secret=" and "&", other part of the url should not influence the 2FA code. Obviously, current 1Password has some error on handling the url, wish it could be resolved soon.
In conclusion, thanks for the support, appreciate very much, love 1Password and all your guys.

Megan

Hi @bigboyq,

I'm so glad to hear that littlebobbytables was able to help you out here. Thanks for letting us know that you're all sorted, and for the kind words about 1Password!

We are working on making 1Password smarter when dealing with these secrets (in particular, teaching it to focus on the part of the secret that really matters) and we'll do what we can to have this behaviour improved soon.

ref: OPI-2311

In the meantime, if you have any further questions about 1Password, we're here for you. :)