Problem with 2FA code on hover.com - keep getting invalid code
Hi - I've not had a problem with using 1P for generating 2FA codes on many sites, however today I went to hover.com and entered the code 1P generated and it now won't accept that code (it has worked flawlessly in the past). I've tried another site which has 2fa and 1P worked fine for that, its just hover.com that is now rejecting it.
Anyone else had this problem? I have noticed that my mac is using the apple time server to set its time, and it does seem to be a minute faster than I would expect - but this kind of date drift would be spotted by lots of people if it was the cause?
Could it be that hover has some bad implementation of 2FA?
I'm trying to get my account unlocked - but wondering if this is the tip of the iceberg.
1Password Version: 6.8.6
Extension Version: Not Provided
OS Version: OSX 10.13.2
Sync Type: Not Provided
Referrer: forum-search:2fa
Comments
-
Hi @365nice,
Most TOTP/2FA implementations will accept drift up to 59 seconds in either direction, but some will handle more drift than that, while others could handle less. This is done by having the server accept more than 1 TOTP code at any given time. The official recommendation for TOTP is to accept 3 codes, but some services accept 5, and some may only accept 1.
It's possible that hover.com only supports the one, which would make it very sensitive to drift. Can you try compensating for that minute and giving that a go just to see? If that fixes it, I would recommend filing a bug with the folks at hover.com to have them make their implementation a little more lenient.
Rick
0 -
Hi - I went back to try it again like you said and it let me in this time (or at least it let me reset my password and accepted the 2FA code). I think that drift was the thing as my laptop clock is much closer to timeanddate.com - so possibly the Apple clock was corrected today (or it drifted back into line - it was definitely that clock as when I disabled it and set the time manually myself and then re-enabled it, it seemed to jump back to being 1 min+ out).
Anyway, I managed to nab the recovery code from hover for future reference, and like you say - I will also file a bug with them.
thanks
0 -
That's great to hear that you managed to get back in. :)
Rick
0
