Windows / Mac OTP invalid. iOS OTP valid [TOTP accuracy is dependent on system time accuracy]

kathampy
kathampy
Community Member
edited June 2015 in 1Password 4 for Windows

The OTP generated by 1Password on Windows and Mac is invalid. However at the same time, the OTP generated by iOS is valid. The clocks are synchronized correctly. If I delete the OTP and rescan it on Windows or Mac, it works for the time being and stops working again in the future (probably after a reboot). The iOS OTP is always valid.

This happens for all my logins (Google, Facebook, GitHub, Microsoft).


1Password Version: Not Provided
Extension Version: Not Provided
OS Version: Not Provided
Sync Type: Not Provided

Comments

  • Hi @kathampy,

    If you compare the codes between Mac, iOS, and Windows, do they sync up or does it feel like the Mac/Windows are falling behind?

  • kathampy
    kathampy
    Community Member
    edited June 2015

    I looked at several codes over a few minutes and the iOS and desktop versions had none in common both backwards and forwards. Even when I re-add the OTP on the desktop and it temporarily starts working, it does not show the same code as iOS (even after iOS has synced the new OTP).

  • svondutch
    svondutch
    1Password Alumni
    edited June 2015

    @kathampy Is the time on your Windows PC synchronised with the time on your iPhone? You might want to follow these steps:

    1. Open your Control Panel
    2. Click on: Date and Time
    3. Click on the tab labelled Internet Time
    4. Click on the button labelled Change settings
    5. Click on the button labelled Update now

    Please let us know how it worked out. Thanks!

  • kathampy
    kathampy
    Community Member
    edited June 2015

    My Windows PC is on a domain so it would only sync with the domain controller. It is accurate to within a few seconds though. My Mac synchronizes with Apple and it's accurate to within a second of various online time websites. Both of them are within 30 seconds of the iPhone. The OTP from both are still invalid and have no overlap with the OTP from the iPhone at all, even over a period of several minutes.

    Whatever app is generating the OTP should ideally sync itself if there is an Internet connection without affecting the system time.

    This does not explain how adding a new OTP works temporarily.

  • svondutch
    svondutch
    1Password Alumni

    @kathampy Without revealing your secret to me, can you tell me what it looks like? Is it an otpauth:// URI? If yes, can you maybe send it to me? Please remember to blank out your secret before you do. Thanks!

  • kathampy
    kathampy
    Community Member

    otpauth://totp/Microsoft:x@x.x?secret=XXXXXXXXXXXXXXXX&issuer=Microsoft

  • svondutch
    svondutch
    1Password Alumni
    edited June 2015

    @kathampy This is super weird because I'm using two-step verification with my MSFT account, and I do not see a discrepancy between 1Password for Windows and Authenticator on my iPhone. They both generate the same TOTP for me.

    What version of 1Password for Windows are you running?

  • kathampy
    kathampy
    Community Member
    edited June 2015

    Not at my PC right now, but the very latest stable version on all platforms. Even when I re-add the OTP from the PC, it works, but is not the same as the iPhone one (which also works after syncing). Then the PC one stops working some time in the future.

  • svondutch
    svondutch
    1Password Alumni
    edited June 2015

    @kathampy Can you please install Google Authenticator on your iPhone and compare this with 1Password? I suspect 1Password for Windows is doing the right thing and there might be a problem with 1Password for iPhone, but your findings seem to contradict this. Thanks!

  • kathampy
    kathampy
    Community Member
    edited June 2015

    Disabling "Set Automatically" in Date & Time on my iPhone seems to have resolved the issue. The time limit on the Microsoft account is much shorter than the Google account which gave the false impression that it was working some times.

  • kathampy
    kathampy
    Community Member

    It doesn't make sense. The iOS codes should have been the ones not working. It's probably temporarily working since I readded them.

  • kathampy
    kathampy
    Community Member
    edited June 2015

    Google Authenticator shows the same values as 1Password.

  • Thanks for letting us know.

    I've run multiple tests with different device now and found that even if I set my Surface Pro 2 to use Apple's European time servers, the clock between the Surface Pro 2 and my Apple device always seems to be half a second off, resulting in 1Password 4 for Windows getting a new OTP half a second later than 1Password 5 for iOS.

    Unless I enter my password in this exact time window, the process works.

    How large is the discrepancy in your case?

  • kathampy
    kathampy
    Community Member
    edited June 2015

    I am not seeing the same OTP on iOS & Windows at all. Initially only the iOS OTP works and the Windows OTP doesn't. If I re-create the OTP on Windows, then the Windows OTP works, and after syncing the iOS OTP also works. Even after this, both the working iOS and Windows OTPs are never the same!

    The time difference between Windows and my iPhone is around 40 seconds to a minute. It varies every few days since my PC syncs to a domain controller. However my Mac syncs to Apple directly and it doesn't share the same OTP as iOS either and the same problem occurs there.

  • svondutch
    svondutch
    1Password Alumni
    edited June 2015

    The time difference between Windows and my iPhone is around 40 seconds to a minute.

    @kathampy This is where your problem is. Time is a crucial factor in time-based two-step verification.

    In our testing, 1Password for Windows generates the same TOTPs as Google Authenticator.

    When in doubt, use 1Password for Windows or Google Authenticator, and please make sure your system time is correct (preferably synchronized with a time server).

  • AGAlumB
    AGAlumB
    1Password Alumni

    @kathampy: svondutch is correct: time is a key component of a Time-based One-Time Password. :(

    However my Mac syncs to Apple directly and it doesn't share the same OTP as iOS either and the same problem occurs there.

    iOS devices synchronize time with your cell carrier (iPhones and iPads with cellular service) or, failing that, with the Atomic Clock (Wi-Fi-only iPads or iPod touch), not Apple. You should encourage your 'domain' administrator to use an NTP server as well, as you'll continue having TOTP issues there otherwise.

  • Hey @kathampy,

    Another one of our awesome customers (I'm looking at you @RisingPixels) had the same issue but figured out a possible cause for the problem and a way to solve it in their case:

    The Windows time service responsible for initiating a connection with the time servers at Microsoft (or whatever you have set up) might not be starting and thus not properly syncing the system clock.

    To check whether this is the case access the Local Services control panel in Windows and make sure it's set up correctly.

    1. Windows 7: Invoke the Start Menu > in the search field, enter "Local Services" > click the result that shows up. Windows 8: Invoke the Start Screen > Start typing "Local Services" > click the result that shows up.
    2. In the Local Services control panel, look for the entry Windows Time Properties and double click it.
    3. On the 'General' tab of the properties windows, set the Startup Type to Automatic.
    4. Reboot your PC.
  • kathampy
    kathampy
    Community Member
    edited June 2015

    I overrode the domain controller synchronization with "w32tm /config /manualpeerlist:"time.windows.com,0x1" /syncfromflags:manual /reliable:yes /update" and now the OTPs are the same.

    It seems Google has a much larger Windows for OTPs which is why they seem to work sometimes even though the Windows and iOS codes were different.

  • AGAlumB
    AGAlumB
    1Password Alumni

    @kathampy: Ah, excellent! Indeed, they allow for some buffer there (although I'm not sure exactly how much). Of course, if it's right on the cusp, it's entirely possible that even a slight drift in the system timer over days and weeks could cause it to go out of bounds as well. Thanks for letting us know that worked for you! :)

  • svondutch
    svondutch
    1Password Alumni
    edited June 2015

    and now the OTPs are the same.

    @kathampy Thanks for letting us know!

    It seems Google has a much larger Windows for OTPs

    @kathampy You're right. The server will typically accept OTPs generated from timestamps that differ by ±1 from the client's timestamp, but their milage might vary.

This discussion has been closed.