One-Time Password out of sync

spuch
spuch
Community Member

Hello,

today I set up two factor authentication on my Amazon account and tried to handle the One-Time passwords with 1Password. I added a new One-Time Password using 1Password for Windows (Version 4.6.2.625) on a Windows 7 System. So far everything is working fine. The codes which are shown in the Desktop Version are working as expected.
In a second step I synchronized the the new settings via DropBox to 1Password for iOS (Version 6.8) on an iPhone 7. The One-Time password is now also present in the iOS App BUT the code which is shown is completely different from the one in the Desktop App on the Windows System and (as expected) it is not working.

I found a similar report here in the Mac forum but in that case a clock difference was the problem. Knowing that I checked the clock values on my systems: The time on my Laptop and my on iPhone are the same (local time) and it is possible the observe the One-Time password changing simultaneously on iOS App and on Windows Desktop every 30 seconds BUT while the code shown on windows desktop is totally fine the one presented in iOS App is completely different and not working.
Can anybody tell my why?

Thanks in advance
Stefan


1Password Version: Not Provided
Extension Version: Not Provided
OS Version: Not Provided
Sync Type: Not Provided

Comments

  • spuch
    spuch
    Community Member

    I just recognized that there is a similar case in the Windows forum (Wrong resp. non-working OTP codes https://discussions.agilebits.com/discussion/81175/wrong-resp-non-working-otp-codes#latest).
    In opposite to that description the One-Time Passwords (OTP) generated with 1PW for windows are working fine in my case and are the same as in the iOS app Authy (https://itunes.apple.com/de/app/authy/id494168017?mt=8). Only the OTPs generated in the 1PW App for iOS are not working after sync from Windows via Dropbox to iOS.
    In my previous comment I forgot to mention that I'm using the latest stable version of iOS 10.3.3

  • AGAlumB
    AGAlumB
    1Password Alumni

    @spuch: Thanks for reaching out. I’m sorry for the trouble! I appreciate the amount of detail you provided. It sounds like the issue is probably on the iPhone then. The problem is that 1Password doesn't sync TOTP codes. 1Password uses the TOTP secret you have stored along with the system clock to generate the code. So if any of there's a difference with regard to any of these factors between your devices (and, ultimately, the server), the codes won't match.

    Can you tell me more about where you're trying to use this? You said Amazon, but I'm not seeing this option in my account. If you can share a link to the page where you set this up, and then the URL where you're signing in, I'll be happy to test this myself to see if we can narrow down the problem.

    In the mean time, please try manually setting the date, time, and zone on each device to ensure that they match exactly, as that can definitely help. I appreciate that you've done the right thing as far as visually checking, but better to be 100% certain. Thanks in advance! :)

  • AGAlumB
    AGAlumB
    1Password Alumni

    @spuch: Sorry. I forgot one other thing I'd meant to touch on: what sync method and vault type are you using? I'd like to make sure I test this using a setup that matches yours as closely as possible. Also, please verify that the TOTP secret is the same on both devices. Especially if you made a change to the item, it's possible there was a sync conflict there.

  • spuch
    spuch
    Community Member

    @brenty: Thanks for your reply! I'll try to answer all your questions in the same order:

    Amazon account:
    If you log into your Amazon account you will find in the top right corner in the drop-down of your username the option "Your Account".
    Next you select the option "Login & security" and after that die option "Advanced Security Settings". In my case there is a button called "Edit". On that page I can enable the Two-Step verification (SMS, App, etc.). If Two-Step verification is enabled, you can use the normal URL for signing into your Amazon account but after entering Login and Password you will be asked to provide the TOTP code as well. Amazon allows to add more then one App so I added the iOS App Authy as well in order to compare it with the results from 1PW for iOS.

    Clock setting:
    My Laptop is using Timezone Berlin is automatically synced against de.pool.ntp.org and I ensured, that by a manual update.
    My iPhoe 7 is also using Timezome Berlin is automatically synced. I tried to manually update the by dis- an enabling automatic synchronization once. As far as I can see see (the analog watch in iOS App is very small) both clocks are running synchronous. Since the TOTP code presented in 1PW for Windows and Authy on my iPhone are the same, we have got a second fact, that the clocks should be matching.

    Sync Method and vault type:
    As mentioned in my second post, I'm using DropBox to sync my data from my Laptop to my iOS device. I do this only in one way (not back from iOS to Laptop). Therefore I upload manually the 1PW files to DropBox where the iOS App of 1PW can get always the latest version on startup. According to your advisory I checked that the TOTP secret are the same on iOS App and 1PW for Windows application. Therefore I copy and pasted both strings (1PW Windows and 1PW iOS) into a text editor and made a diff. To get the secret from iOS device to the text editor on my laptop I used a txt-file in the App Good Reader 4.0 and a Wifi connection (in short: I'm sure they are matching).
    Regarding your questing about the "vault type" I assume that you ask for the formats OPVault or Agile Keychain? Since I've never touched the format since my first usage of 1PW I can only guess that I'm using "Agile Keychain" because the directory 1PW for windows saves its data to contains a directory named "1Password.agilekeychain". If it help to narrow the problem down I can for sure change the format to OPVault. I just saw, that there are two posts (Getting your data into the OPVault format and How to switch to the OPVault format from Agile Keychain) which explain that.

    If I can provide further informations to narrow that problem down don't hesitate to ask. :)

  • AGAlumB
    AGAlumB
    1Password Alumni
    edited August 2017

    @spuch: Thanks for the information, and for your patience with me getting back to you. I wanted to make sure I understood all of the pieces of this puzzle, and that was perfect!

    In setting this up on my OWN Amazon account and testing it (with an Agile Keychain vault sync'd via Dropbox — the format shouldn't matter, but I just wanted to be thorough), I'm seeing the same TOTP code in 1Password for Mac, 1Password for Windows (v4), and 1Password for iOS; I didn't have any trouble signing in with any of these.

    There are a couple things which you mentioned that gave me pause, and may offer clues here:

    Clock setting:
    My Laptop is using Timezone Berlin is automatically synced against de.pool.ntp.org and I ensured, that by a manual update.
    My iPhoe 7 is also using Timezome Berlin is automatically synced. I tried to manually update the by dis- an enabling automatic synchronization once. As far as I can see see (the analog watch in iOS App is very small) both clocks are running synchronous. Since the TOTP code presented in 1PW for Windows and Authy on my iPhone are the same, we have got a second fact, that the clocks should be matching.

    To me, it doesn't sound like you're setting the date/time/zone manually like I suggested; you're still using the time server to set it. Definitely try doing it yourself, on each device, to ensure that they match exactly. This is a common problem when Wi-Fi-only devices set the time, and even still occurs in some cases when connected to cell networks (though this is rarer).

    Sync Method and vault type:
    As mentioned in my second post, I'm using DropBox to sync my data from my Laptop to my iOS device. I do this only in one way (not back from iOS to Laptop). Therefore I upload manually the 1PW files to DropBox where the iOS App of 1PW can get always the latest version on startup. According to your advisory I checked that the TOTP secret are the same on iOS App and 1PW for Windows application. Therefore I copy and pasted both strings (1PW Windows and 1PW iOS) into a text editor and made a diff. To get the secret from iOS device to the text editor on my laptop I used a txt-file in the App Good Reader 4.0 and a Wifi connection (in short: I'm sure they are matching).

    You said earlier that you're syncing your 1Password data using Dropbox, but I have to be honest: I don't understand what you're doing here, and it sounds like you're not doing this:

    Syncing 1Password using Dropbox

    So I do wonder if, with a manual setup, human error is playing a role here. Can you clarify what you're doing exactly, and how it differs from the Dropbox sync setup guide above?

    Also, I've gotten the following TOTP secret from Amazon:

    JTAQ M5KA CSR4 RY7P W2D6 FS67 YH7D 42PM A5ZT WFHI JGMO QJMP B3UA1

    Is yours in the same format? It's also possible that an invisible leading or trailing character (line break, space, null, etc.) is screwing things up on one or more platforms. I know I've encountered issues like that before. Try adding that secret to a login item and see if it generates the same code everywhere, as I can confirm that it works just fine here.

    Thanks again for your attention to this! If there's a bug here, we'll find it. :sunglasses:


    1. Don't worry. This is no longer my TOTP secret, as I've deactivated it on my account and left Amazon some feedback: "SMS is not a secure channel, and requiring this as a mandatory fallback option turns the two-step verification into security theater. Please consider removing SMS completely, or offering it only as an alternative to those who want it. Thanks!" ↩︎

  • spuch
    spuch
    Community Member

    @brenty: Thank you for your remarks. I will try to clarify my writings, maybe they are a little bit too complicated, because I'm not a native English speaker...

    Clock setting:

    To me, it doesn't sound like you're setting the date/time/zone manually like I suggested; you're still using the time server to set it. Definitely try doing it yourself, on each device, to ensure that they match exactly. This is a common problem when Wi-Fi-only devices set the time, and even still occurs in some cases when connected to cell networks (though this is rarer).

    You are "partially" right. I did first set the date/time/zone manually (https://www.uhrzeit.org/ and pressing the save button in that moment when the next minute starts) but since you can set the clock in iOS only on a minute base I assumed that the ntp protocol should be much more precise (at least on a basis of some few seconds). I just repeated the test by disabling the automatic synchronization and would state that a clock difference is not the root of the problem. I have still the same code running in 1PW on my Laptop and in the app Auth on iOS while the code in 1PW on iOS is different.

    Sync Method :
    The word manually is a little bit misleading:
    My setup of the synchronization from 1PW on iOS and Dropbox is exactly like written in the Dropbox sync setup guide you mentioned above. What I tried to explain with "manually" is the process of syncing 1PW on Windows to Dropbox. Therefore I did not install the native Windows client which does a synchronization somewhat instantaneous in background. From Time to Time a log into my DropBox account and use the Web-upload where you select manually the files you want to upload in the web frontend.
    In short: I never sync data from DropBox to 1PW on Windows, only the other way round. I upload the 1PW Keychain from Windows to my DropBox account. Of cause this in not a very comfort way but that ensures that you can never remove some login data on iPhone and also on Laptop (Yes I'm a little bit paranoid).

    In order to exclude all the cans and ifs regarding the synchronization process using DropBox I did a new test with the TOTP secret which you posted from Amazon above with disabled automatic clock synchronisation. The results are interesting and will probably help to find/implement a solution for my problem:
    1) Authy App is really cool: During my first try to copy/paste your secret code above to 1PW for iOS I missed to select the last character 'A'. That leads of cause to the fact that 1PW on iOS and 1PW on Windows had different codes. I found that mistake by comparing the stings again. BUT how could the app Authy (I used as reference on iOS) generate correct code although I copied the same wrong secret into that app? WTF I double cheeked that: I can use the right secret above and the secret with the last character missing, in both cases Authy is generating correct codes. I don't understand why but maybe there is some kind of checksum which allows Authy to correct the missing character. For 1PW on iOS that means: If the code is entered correct, I can get the same codes on 1PW for iOS and 1PW on Windows.

    2) Due to the lucky mistake above I realized when comparing the strings in 1PW for iOS and 1PW for Windows that the format of the secret in 1PW for iOS looks still like your example above (13x 4 characters) while the field in 1PW for windows converts the secret to a URL in the format 'otpauth://totp/NAME_OF_ACCOUNT?secret=THE_REAL_SECRET_ENTERED_BY_USER'. And exactly that is the root of my problem with different TOTP codes, because that URL is synchronized (in my case via DropBox) to 1PW on iOS. I think you should be able to reproduce that now as follows:

    1) Enter your secret above into a new login on 1PW for Windows.
    2) When you safe the secret you are asked for a name for your account which leads to the URL format mentioned above.
    3) When you synchronize that to iOS (using DropBox or Wifi whatever) you can find that URL in the One-Time field on iOS and not the "parsed secret" which you would enter manually there. That leads to the different TOTP, because the complete URL is interpreted as secret.
    4) If you manually remove the leading 'otpauth://totp/NAME_OF_ACCOUNT?secret=' and the white spaces in between '%20' you can see that the codes are generated correctly

    Thanks again for your attention to this! If there's a bug here, we'll find it. :sunglasses:

    I assume you are right, but don't ask me how much time I spent in sum to figure that out :unamused:

    I think now its up to you to reproduce and (hopefully) fix that. Its hard to belief that no one ran into that problem before :crazy:

  • Thanks for the additional information @spuch. We're gonna have to check that out.

    That leads to the different TOTP, because the complete URL is interpreted as secret.

    This isn't the case, assuming the URL is correctly formed. Our apps should accept the value as either a raw secret, or a totp url which can include the secret and other parameters like number digits, period, and algorithm.

    Rick

  • rickfillion
    edited August 2017

    @spuch : we've managed to isolate the problem to the way in which 1Password for Windows 4 encodes the secret with spaces. The other apps aren't expecting the %20 for spaces and would rather there not be spaces (encoded or not) at all. We'll see what we can do about that.

    Rick

    ref: OPW-633

  • AGAlumB
    AGAlumB
    1Password Alumni

    @spuch: Just to clarify, as a workaround, you can save the TOTP secret in 1Password 4 without spaces and it will work. The spec doesn't allow for these, so the code will be the same. We just need to have the Windows app ignore these.

    P.S: Your English is great and I never would have guessed it's not your first language if you hadn't mentioned it. I made a mistake when testing this, and that's on me. Thanks so much for your persistence on this!

  • spuch
    spuch
    Community Member

    @rickfillion
    I'm pleased to hear that you were able to isolate the problem. This is always the prerequisite for considering a fix.

    @brenty
    Thanks for pointing that workaround out here. That may help others who have similar problems. In between I did exactly that (I removed the white spaced) and now the synchronization from 1PW4 on Windows to 1PW on iOS works as expected.
    Additionally a big thank you for your support including the effort to reproduce this (quite special) problem in your own environment.

  • Good to know that the workaround worked for you. In the process of looking into this we found another bug in how our iOS and Mac app read in those totp URLs that could cause additional issues. Thanks so much for reporting this to us.

    Rick

  • makip
    makip
    Community Member

    Thanks to this thread I was able to resolve my OTP issue - was working on 1Password iOS but the OTPs on macOS client were wrong. For some reason the macOS clock was a minute slow, and when I adjusted the time the OTPs became synchronised again.

  • AGAlumB
    AGAlumB
    1Password Alumni

    Ahh great! Thanks for letting us know! Glad that helped. We're here if you need anything else. :chuffed:

  • space_cadet
    space_cadet
    Community Member

    If anyone is looking at this in 2019... I just had the same issue. It's been working well for a while but recently 1password on my Samsung S10 works fine, Macbook Pro suddenly stopped working. I changed the Date & Time on my Macbook from Automatic to Manual (unselecting the tick box) and set the clock back by one minute. The OTP suddenly started matching and working again on the Macbook Pro....

  • ag_ana
    ag_ana
    1Password Alumni

    Thank you for the confirmation! Indeed, when this happens it's typically because the time has gone out of sync on one of your devices. I am glad to hear this fixed it for you too :+1:

This discussion has been closed.