Reverse engineer IRS2Go secret key generating OTP?

The IRS is now offering offline TOTP generation via their IRS2Go app which requires an IRS username (8-64 characters, no spaces or special characters other than _) and a key shown on their site, in my case, an 8-digit number. With these two items, it generates a 6-digit number every 60 seconds. I know 1Password only supports a TOTP period of 30 seconds, but it'd be useful to reverse engineer what their app is doing behind the scenes and how it's combining the username and password into one secret to generate the code so it could be done with other software. I tried colon or pipe as a delimiter with no luck. Any suggestions?


1Password Version: Not Provided
Extension Version: Not Provided
OS Version: Not Provided
Sync Type: Not Provided

Comments

  • Same question for the Xfinity Authenticator app.

  • BenBen AWS Team

    Team Member

    Hi @Lucent,

    Thanks for the suggestion. I'm not aware of any definite plans at this time, but I'll certainly pass the idea along to the rest of the team for further consideration.

    Ben

  • cellsheetcellsheet
    edited March 2019

    I have the same question for this app. The 2fa available notification is annoying not being able to fill it in 1password and no luck getting it to work either, but did help me become aware of the option for this particular app. Thanks.

  • BenBen AWS Team

    Team Member

    Hi @cellsheet

    Until / unless another solution is implemented you can add a tag -- "2FA" -- to your login item for this site to have 1Password ignore the fact that it thinks you aren't using 2FA.

    Ben

  • Were you able to ever find the totp algorithm the irs uses?

  • Never had any luck with IRS or Xfinity. Probably best left to someone with the skill to decompile the APK.

  • BenBen AWS Team

    Team Member

    :+1:

    Ben

Leave a Comment

BoldItalicStrikethroughOrdered listUnordered list
Emoji
Image
Align leftAlign centerAlign rightToggle HTML viewToggle full pageToggle lights
Drop image/file