Support for arbitrary-length One-Time Passwords

I would like to see the ability to have arbitrary-length One-Time password support added to 1Password. I have one One-Time password that 1Password doesn't support, namely the Blizzard Entertainment Battle.NET one-time password. I would like to see 1Password support such codes. They are usually eight digits in length instead of the usual six digits.


1Password Version: Not Provided
Extension Version: Not Provided
OS Version: Not Provided
Sync Type: Not Provided
Referrer: kb:undefined, kb-search:one-time password, ug:mac/totp, kb:undefined, kb-search:one-time password

«1

Comments

  • Hi @trparky,

    It's not about the length, it's the algorithm itself. Battle.NET does not use TOTP but HOTP instead, which is different from what you'd see on Dropbox.com, Google.com and so on. TOTP is timer-based while HOTP is more of a counter-based.

    1Password only supports the standard TOTP algorithm, which can be 6 or 8 digits as mentioned in this RFC-2638. We'll look at adding HOTP support in the future.

  • trparky
    trparky
    Community Member
    edited June 2016

    It's funny that when I tried to put the secret key into 1Password it generated a portion of the random code, sadly it missed the first two digits. The last six were correct.

  • trparky
    trparky
    Community Member

    I have the code being generated in another program but I would like to consolidate all of my One-Time Password generation to one program, that being 1Password.

    When I exported the data from the program the exported data is as follows for a Battle.NET account...
    otpauth://totp/BattleNet:Battle.net?secret=[SECRET KEY GOES HERE]&digits=8&serial=[SERIAL GOES HERE]

    It sure looks like a TOTP-based code generator so it should work but I can't get it to show eight numbers instead of the usual six.

  • trparky
    trparky
    Community Member

    I did some experimentation with generating the One-Time Password using 1Password for my Battle.NET account. I put the data in as was exported from my other program into the account profile in 1Password. I then synced the data to my iPhone.

    Guess what... The 1Password app on my iPhone generates a 100% correct One-Time Password for my Battle.net account with all eight digits. I even logged into my Battle.net account using the code that the iPhone 1Password app generated and yes, Blizzard's Battle.net Login system accepted the code that was generated by the iPhone 1Password app. So, we know that 1Password can generate these codes correctly but, and here's the problem. The 1Password Windows version of the program doesn't generate the codes correctly, this means that the bug is clearly in the 1Password Windows program and it needs to be fixed.

  • trparky
    trparky
    Community Member

    The original thread I was talking about this issue in is located here. I'm making this new thread to document a bug that needs to be fixed in the Windows version of 1Password. Anyways, onto my bug report.

    It seems that the 1Password Windows version ignores the "digits" parameter in an OTPAUTH URL. Some services such as Blizzard's Battle.net use eight digits for their one-time passwords instead of the usual six that're used by other sites/services.

    For Battle.net, the OTPAUTH URL is as follows...
    otpauth://totp/BattleNet:Battle.net?secret=[SECRET KEY GOES HERE]&digits=8&serial=[SERIAL GOES HERE]
    Note the "digits=8" part of the URL, this should tell the code generator that it needs to create eight digits for the code instead of six.

    Anyways, I did some experimentation with generating a Battle.net One-Time Password using 1Password for my Battle.NET account. I put the data in as was exported (the OTPAUTH URL string) from my other program into the account profile in 1Password. I then synced the data to my iPhone.

    Guess what... The 1Password app on my iPhone generates a 100% correct One-Time Password for my Battle.net account with all eight digits. I even logged into my Battle.net account using the code that the iPhone 1Password app generated and yes, Blizzard's Battle.net Login system accepted the code that was generated by the iPhone 1Password app. So, we know that 1Password can generate these codes correctly but here's the problem.

    The 1Password Windows version of the program doesn't generate the codes correctly, this means that the bug is clearly in the 1Password Windows program and it needs to be fixed.


    1Password Version: 4.6.0.604
    Extension Version: 4.5.6.90
    OS Version: Windows 10
    Sync Type: Not Provided

  • trparky
    trparky
    Community Member
    edited June 2016

    Also, the 1Password app for Windows that can be found on the Windows Store also generates proper codes for Battle.net. The only 1Password program that has this bug is the Windows (legacy Win32 API) 1Password program.

    Alright guys... this is a bug. Time to pull out the old can of RAID and kill this bug for us.

  • AGAlumB
    AGAlumB
    1Password Alumni
    edited June 2016

    The original thread I was talking about this issue in is located here. I'm making this new thread to document a bug that needs to be fixed in the Windows version of 1Password. Anyways, onto my bug report.

    @trparky: I'm not sure why you created a second discussion with the same information, but I've merged them here so we can have everything in one place, for simplicity's sake.

    Also, the 1Password app for Windows that can be found on the Windows Store also generates proper codes for Battle.net. The only 1Password program that has this bug is the Windows (legacy Win32 API) 1Password program.

    This is fascinating, though. As far as I can tell, the bug is that it works on any platform, as 1Password doesn't officially support Battle.net Authenticator or other similar tokens, only 6 digit TOTP.

    It seems that the 1Password Windows version ignores the "digits" parameter in an OTPAUTH URL. Some services such as Blizzard's Battle.net use eight digits for their one-time passwords instead of the usual six that're used by other sites/services.

    Indeed. Actually, one of my Battle.net accounts has a 6 digit authenticator code, perhaps due to its age. And now they're using alphanumeric codes too. The plot thickens!

    So, we know that 1Password can generate these codes correctly but, and here's the problem. The 1Password Windows version of the program doesn't generate the codes correctly, this means that the bug is clearly in the 1Password Windows program and it needs to be fixed.

    Given the correct inputs and algorithm, it should be able to correctly generate anything. But as far as I can tell, Blizzard doesn't give one of the inputs to users: the "secret"; and that's a crucial part of the string you're suggesting 1Password for Windows should support. I don't know that we'll be going back and adding support for this to 1Password 4, but I'm intrigued. Thanks for bringing this up! :)

    ref: OPI-2596

  • trparky
    trparky
    Community Member
    edited June 2016

    I did find some source code in another (open source) project that allows one to be able to translate a Battle.net Serial Number and Restore Code into a Secret Key that would be needed to create an OTPAUTH URL string. The code is in C# though so I don't know if you guys would be able to fit the code into your existing code.

    https://github.com/winauth/winauth/blob/master/Authenticator/BattleNetAuthenticator.cs

  • AGAlumB
    AGAlumB
    1Password Alumni

    @trparky: That's pretty cool. Thank you! And while I expect we wouldn't want to reuse this code, it's a great reference. It's too bad that Blizzard doesn't provide the secret directly to users, as that would avoid any DMCA concerns. I suspect that this is partly because they want to continue to iterate on their authentication. I would absolutely love for us to support this in the future though. :)

  • trparky
    trparky
    Community Member

    Yeah because it supports everyone else as far as my OTPs are concerned. With Battle.net, I still need that separate app.

  • AGAlumB
    AGAlumB
    1Password Alumni

    I understand completely, and it's something I've longed for for a long time: being able to keep everything login-related in 1Password. However, I will say that so far I'm liking Blizzard's new authentication approach. It's non-standard, and I'm not crazy about having to always have my phone with the Battle.net app handy, but it's otherwise convenient and super quick.

  • NathanSMB
    NathanSMB
    Community Member

    Sorry to necro an old thread @brenty but I wanted to add an update to people who find this thread through google searches like I did.

    If you can get the otpauth URL for your authenticator(see the post @trparky made here) and add it to 1password then the new 1password 6 beta for Windows does generate the code correctly 100% of the time. That being said it looks like there is no way to add a 2 factor authentication field in the Windows beta yet so you will need to add it from another device. But once it is added it will work.

    I hope you guys will be able to add official support eventually. Or Blizzard will follow the same standard the rest of the web does(HAHAHA) but for now it's nice to have a functional work around.

  • AGAlumB
    AGAlumB
    1Password Alumni

    @NathanSMB: Thanks for the encouragement! :)

    I also wanted to mention that while it isn't yet possible to add TOTP data in the beta, you can do it using the 1Password.com web interface. Not ideal, but a good alternative as we build the new app. Cheers! :)

  • rmpel
    rmpel
    Community Member

    Is there any update on this?

    1Password for Windows is still ignoring the "digits=8" portion of an OTP uri, and refuses to generate an 8-digit code, while the Mac and iOS versions DO generate the correct length codes.

  • AGAlumB
    AGAlumB
    1Password Alumni

    @rmpel: Hmm. I've never actually encountered one. 1Password does not support HOTP, but can you give me an example TOTP site for the report? We can use it for testing. Thanks in advance! :)

    ref: OPW6-1355

  • rmpel
    rmpel
    Community Member

    @brenty, I know about HOTP not being supported, the question is solely TOTP related.

    I won't give you a site, cus that would enable anyone reading this to login. I will give you an example, though.

    the following secret is valid, but unused (as far as I can tell)

    otpauth://totp/WordPress:MyBlog?secret=MYECVRXJLE7LEJ3Y&issuer=WordPress

    will, should and does generate 6-digit OTP. This works in all OTP apps I have encountered.

    the otp spec allows for 6 and 8 digit codes

    otpauth://totp/WordPress:MyBlog?digits=8&secret=MYECVRXJLE7LEJ3Y&issuer=WordPress

    should generate an 8 digit code. This code is simply 2 extra digits prefixed to the 6 digit code.

    this secret generates 948575 for example in 6 digit mode and 34948575 in 8 digit mode. Easy verification that the 8-digit generator is generating a valid code.

    in developer-land, the difference in the algorithm is very simple, for 6 digit code you at some point take a 1000000 modulo, and for 8 digits, take a 100000000 modulo.

    Again; the iOS version of 1Password does this correctly, the macOS version does this correctly. The Windows version does NOT.

    Thanks for your response, hope this gives the Windows team enough info to get this fixed, but if not, feel free to contact me.

    Remon.

  • AGAlumB
    AGAlumB
    1Password Alumni

    I won't give you a site, cus that would enable anyone reading this to login. I will give you an example, though.

    @rmpel: I don't see how, since they won't have your username, password, or TOTP secret, but I'll take your word for it. Thanks for letting me know!

    Anyway, what you say makes sense. We should have what we need to "fix" it, but my concern is that I'm not aware of any sites we can use to test the fix. Right now I can see that we're getting different codes on Windows, but I don't have any way of knowing if those generated by any of the apps are valid in a case like this. We'll definitely reach out to you once we have an update if you'll be so kind as to let us know if it helps! :)

  • AGAlumB
    AGAlumB
    1Password Alumni

    @XIII: Thank you! Interesting. I still think it's better to test with production sites, but something like that could be useful as well. :)

  • rmpel
    rmpel
    Community Member

    Well, if need be, I can set-up an empty WordPress environment with an 8-digit OTP.

  • rmpel
    rmpel
    Community Member

    and of course, you can compare the Windows and Mac versions of 1Password, as the mac version will generate a valid 8 digit otp using the otpauth:// uri above

  • rmpel
    rmpel
    Community Member

    "I don't see how, since they won't have your username, password, or TOTP secret, but I'll take your word for it. Thanks for letting me know!"

    I see what you mean with this response now.

    I have yet to encounter a publicly available app with 8-digit OTP. I have been (and still am) developing OTP two factor auth for all websites our company manages in order to increase it's security. As I was comparing existing solutions against the OTP specifications, I discovered that although 6 digit is the default and most used, the OTP specs allow for 8 digits as well. Being a nerd with OCD I had an "if it's allowed, I need it to work" moment.

    I generated a QR code with "digits=8" in the URI and lo-and-behold, Google Authenticator for iOS generated 8 digit codes. I then proceeded to alter our software (easy fix) to validate 8-digit codes.

    Then I registered the QR code in as many apps as I can get my hands on.

    I tested 6 iOS app, one of them is 1Password, all passed
    I tested Microsoft Authenticator (Windows Phone, Google does not want to compile their app for WinPhone). MS Auth FAILED

    On desktop, there aren't many options.
    A few Browser extentions/plugins/addons, all failed.

    1 Password Passed on the desktop on macOS, but failed on Windows.

    If 1P had failed on macOS and iOS to generate an 8-digit code, I would not have bothered contacting you, but seeing the Windows version is the only one failing, I labeled it a bug and decided to bring it to your attention.

    (One platform I cannot test; Android; I have no Android devices and I never will, so I cannot test any app on that).

    Sorry for the long and many comments, thank you for listening/reading :)

  • XIII
    XIII
    Community Member

    Did you try 2STP?

    https://itunes.apple.com/us/app/2stp-authenticator/id954311670?mt=8

    It claims to handle codes up to 10 digits... (though I'm not sure whether that is for TOTP or HOTP)

  • rmpel
    rmpel
    Community Member

    2STP generates perfect 8-digit codes., thanks for the 7th app on the list :P

  • AGAlumB
    AGAlumB
    1Password Alumni

    :lol:

    @rmpel: Seriously, thank you for sharing all of that! I was super curious about where this was coming from, but didn't want to be rude and ask you flat out "What's the deal?" ;)

    Since you're not aware of any production sites that support this either, I'll be satisfied to hear you confirm it's working once we have an update for this — especially given how fastidious you are, I'm sure I can count on you to find if something is still broken. :tongue:

  • rmpel
    rmpel
    Community Member

    Had to lookup the word "fastidious" ;)

    When I hear from you (by way of comment or update notification in 1P, or however :P ) I'll let you know :)

    Thank you for all your time.

  • AGAlumB
    AGAlumB
    1Password Alumni

    Ah, sorry about that. I remember thinking that was a bit over the top but could not for the life of me think of a better word at the time. I hope you took it as the compliment it was meant as. We'll definitely be in touch once we have something in place to test. :)

  • rmpel
    rmpel
    Community Member

    VErsion 4.6.2.625 for Windows does not support 8-digits OTP
    but
    I registered for 1 password "in the cloud" just to check; version 6.7.457 DOES support 8 digit OTP (and generates valid codes)

    Just so you know :)

  • AGAlumB
    AGAlumB
    1Password Alumni

    @rmpel: Hehe thank you. Yep! I actually tested this and filed a bug report earlier when you brought this up. I didn't mention it because I'm not certain this is something we'll be able to address there, as development is focused on the new app, and also because you hadn't mentioned 1Password 4. We are able to reproduce the same problem in 1Password 6 in some scenarios though (depending on the format/content of the TOTP string), so definitely a purple there too. I really appreciate your attention to detail on this! :)

    ref: OPW-628

  • rmpel
    rmpel
    Community Member

    Quite welcome.

This discussion has been closed.