Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Problem with OATH-TOTP on firmware 2.1.2 #141

Open
bwoznicki opened this issue Jun 3, 2022 · 12 comments
Open

Problem with OATH-TOTP on firmware 2.1.2 #141

bwoznicki opened this issue Jun 3, 2022 · 12 comments

Comments

@bwoznicki
Copy link

There seems to be a problem with generated code for OATH-TOTP on firmware 2.1.2. I have originally setup authentication on 2.1.1 and everything was working fine ( Amazon / Github etc). Recently I have noticed that generated code never works, I have disconnected - reconnected key, wiped the slot and reconfigured again several times with no luck. Downgrading to 2.1.1 seems to fix the problem.

@onlykey
Copy link
Collaborator

onlykey commented Jun 3, 2022

@bwoznicki We have not received any other reports of issues with TOTP. You can test the OTP outputted by OnlyKey and compare to the expected output by using this site: https://totp.danhersam.com/

@bwoznicki
Copy link
Author

Yea I thought it was strange, I thought it might be the time issue, but simply downgrading fixed the issue instantly with the same setup on the slot. Might upgrade back to 2.1.2 and see if the issue persist.

@matbgn
Copy link

matbgn commented Aug 18, 2022

I can only double @bwoznicki OTP generated are just totally wrong from last upgrade

@bwoznicki
Copy link
Author

Same, what worked for me originally is downgrade followed by upgrade, for some slots/sites the OTP is fine while for others just spits out wrong code. Looks like something causes it to go out of sync after a while. I have just logged off Github, logged back in and again the OTP is wrong. Happy to help with testing

@onlykey
Copy link
Collaborator

onlykey commented Aug 18, 2022

@bwoznicki I don't see any changes to TOTP in v2.1.1 vs v2.1.2 firmware. Can you provide a TOTP secret that generates a code different than this site on your Onlykey - https://totp.danhersam.com/
*A secret that you aren't currently using for an active account

If I can replicate the issue I can fix it but so far have not been able to see any issues with TOTP. If time is correctly set on the computer where the OnlyKey app is running the app sends the time to OnlyKey and that is used to generate TOTP on device.

@bwoznicki
Copy link
Author

I dont think this is easy to replicate as it takes time to go wrong. If I reset two-factor on Github now, it will work ok for few months. I never used to save the secret so could not compare the failing one coming from Only-key to what I get from https://totp.danhersam.com/ is it possible that secret it self gets corrupted somehow on the key ? Is it possible to retrieve the secret stored on the key ?
As for the time set on the device this cant be the issue as all the generated codes would be wrong but like I mentioned before some slots are fine while others generate wrong code.

@bwoznicki
Copy link
Author

I believe i found a solution, there must be time sync problem. Just had two different OATH-TOTP failing. Closing/reopening the onlykey app / reconnecting key fixed both. FYI @matbgn

@matbgn
Copy link

matbgn commented Oct 30, 2022

Yeah but if you want to rely on it for work it's not an option unfortunately.

@onlykey
Copy link
Collaborator

onlykey commented Oct 31, 2022

@bwoznicki Glad that worked for you. If removing device and reinserting corrects issue then I suspect the issue is time drift. The OnlyKey gets the correct time from the app when you first connect device but if you were to leave the OnlyKey plugged in for weeks or months and it could have some time drift over a long period of time like this. As TOTP requires time to be within a 30 second window if device has time that is even slightly off it would require resync by removing/reinserting device.

@matbgn
Copy link

matbgn commented Oct 31, 2022

It's clearly a time drift but for me it happens within a very few hours (<4)

@alexhk90
Copy link

Acknowledging that this thread is a couple of years old so may no longer be an issue, but as it's still Open in case it is still an issue I just submitted a feature request that could help at least work around this time drift: https://onlykey.discourse.group/t/fido2-signcount-view-update-in-onlykey-app-cli-and-or-always-process-settime-oksettime-command-in-onlykey/1400

If the OnlyKey CLI settime command was processed every time, this could be automated to be sent periodically (say, every 30 minutes) to ensure the time on the OnlyKey remained in sync (enough not to cause an issue with TOTP).

@matbgn
Copy link

matbgn commented Dec 22, 2024

Still an issue in m'y perspective, so thank you 🙏

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

No branches or pull requests

4 participants