Support for arbitrary-length One-Time Passwords

2»

Comments

  • brentybrenty

    Team Member

    :) :+1:

  • edited August 2017

    @rmpel Fixed in version 4.6.2.626

  • rmpelrmpel Junior Member

    Super! We'll check it out as soon as we can update to 626 (625 now and 1P says it's the latest). Thanks for the notification!

  • @rmpel 626 isn't out yet, but @svondutch has been super busy if my e-mail notifications are any indication, so you should have a number of tweaks and fixes to look forward to when it's ready to head out the door. :chuffed:

  • rmpelrmpel Junior Member

    Just updated to 626, works perfectly! Thank you!

  • MikeTMikeT Agile Samurai

    Team Member

    On behalf of the team, you're welcome.

  • sebishsebish
    edited June 25

    Hi all,

    first of all thanks for the great support and listening to the users here!

    As I understood, this issue with length 8 2FA has been fixed some time (years) ago. Now I added my Blizzard 2FA to 1Password (kind of hacky process) and that works. I got locked out of my account there after the last mobile exchange and that sucked, so I definitely want to have in 1password.

    So this is generally working, but: The code must be length 8 and in the application for Windows and Mac (tested both), I do only get shown the last 6 digits of the code. On the website (1password.com) it does show all 8 digits as desired.

    Are you aware of that issue? Did I get something wrong? Has the fix never been merged into the desktop apps?

    I can tell that the code is working and correct in the desktop apps too, since the shown 6 fields are always identically to the last 6 fields in the code. For me as user it looks like the desktop apps are cutting off the first 2 fields, because they always show 6.

    Best regards

  • Hi all,

    first of all thanks for the great support and listening to the users here!

    As I understood, this issue with length 8 2FA has been fixed some time (years) ago. Now I added my Blizzard 2FA to 1Password (kind of hacky process) and that works. I got locked out of my account there after the last mobile exchange and that sucked.

    So this is generally working, but: The code must be length 8 and in the application for Windows and Mac (tested both), I do only get shown the last 6 digits of the code. On the website (1password.com) it does show all 8 digits as desired.

    Are you aware of that issue? Did I get something wrong? Has the fix never been merged into the desktop apps?
    I can tell that the code is working and correct in the desktop apps too, since the shown 6 fields are always identically to the last 6 fields in the code.

    Best regards

  • brentybrenty

    Team Member

    @sebish: Thanks for reaching out. There's some confusion, as 1Password supports the TOTP standard. Blizzard uses something else. So you didn't do anything wrong, but 1Password is the wrong tool for the job in this case. it will work for things like Dropbox, Twitter, Google, Facebook, and more recently PayPal (among many more others than I can name off the top of my head), which all use the TOTP standard. But it will not work with things that don't use TOTP.

    On a side note, I'd definitely recommend against using any "hacky process" to setup two-factor authentication. Even if it works, if it's unsupported by the service, it could break at any time and get you locked out. For a long while PayPal did not support TOTP officially, and people were finding ways to work around that. It's much safer now that they officially support it -- not in terms of security, but being able to rely on it working on an ongoing basis.

  • Thank you for your quick and detailed response!

    I generally fully agree to what you say. But did you read that it is already working in 1password?

    The same Password Entry is shown with 6 digits in desktop apps and 8 digits in 1password website. So even by respecting your concerns: Why not patching this functionality to the apps too? The length 8 code shown on the website password.com does work. I guess it could desync after time, but this is not likely? Why does the code from 1password work when blizzard uses a different protocol?

    Of course you do not have to teach me that. If this is the expected behaviour, it is fine. I am just curious why it works in the webapp, but not desktop.

    (!) Edit1: I just recognized that it is working in webapp and mobile app too! So the support for showing length 8 codes seems to be missing only in the desktop apps.

    Actually this is already good enough for me. So the remaining question would be, why the desktop apps show a working length 8 code as length 6 (what breaks it of course) while mobile app and webapp show it correctly as length 8?

  • brentybrenty

    Team Member

    @sebish: Likewise, thanks for getting back to me. :)

    But did you read that it is already working in 1password?

    You said earlier that you got locked out of your account. I would have a hard time calling that "working", even if it seems to "work" initially. :lol:

    Why does the code from 1password work when blizzard uses a different protocol?

    I don't have any way of knowing. They don't share their methods publicly. If that changes in the future, it's possible we'd support it in 1Password. But since Blizzard doesn't support using 3rd party authenticator apps, using 1Password or any other is not recommended.

    To clarify, the TOTP spec supports codes of arbitrary lengths, and 1Password supports that as well. But this is specified within the TOTP secret. If you'd like to invalidate the string you're using to generate the codes and share it, I'd be curious to look into it. But again, we're not going to support this unless Blizzard does.

  • Deat brenty,

    that was a misunderstanding. I added this service's 2FA to 1password, because I got locked out with the blizzard authenticator after reinstalling my mobile. Everything worked fine with 1password.

    To make things short and including my newer findings:

    Users can add 2FA keys of 8 field length to 1password successfully. They are presented correctly in the web app and the mobile app. But (and this is my problem) those 8 length keys are shown as 6 length in the desktop apps, Mac and Windows.

    Therefore, I fully understand that you will not support something that is not wanted this way. But maybe you could port the behaviour of presenting length 8 keys from web and mobile app to the desktop apps? Because these are already doing it right.

    The key is stored correctly in 1password, 1password generates the correct numbers for 2FA, but the desktop apps (only) cut off 2 fields.

    If you want to, I can send you the key and or generated QRCode. I would change my account's authenticator ID before of course ;-)

    I would accept, if you refuse, since this may (!) be blizzard specific and thus is not supported. But it could appear with more (supported) 8 length keys. The different behaviour of web, mobile vs desktop is what I see here.

  • sebishsebish
    edited June 26

    Deat brenty,

    that was a misunderstanding. I added this service's 2FA to 1password, because I got locked out with the blizzard authenticator after resetting my mobile. Everything worked fine with 1password as soon as I got the code in it.

    To make things short and include my newer findings:

    Users can add 2FA keys of 8 field length to 1password successfully. They are presented correctly in the web app and the mobile app. But (and this is my problem) those 8 length keys are shown as 6 length in the desktop apps, Mac and Windows. Tested on completely independent machines.

    Therefore, I fully understand that you will not support something that is not wanted this way. But maybe you could port the behaviour of presenting length 8 keys from web and mobile app to the desktop apps? Because web and mobile are already doing it right.

    The key is stored correctly in 1password, 1password generates the correct numbers for 2FA, but the desktop apps (only) cut off 2 fields.

    If you want to, I can send you the key and or generated QRCode. I would change my account's authenticator ID before of course ;-)

    I would accept, if you refuse, since this may (!) be blizzard specific and thus is not supported. But it could appear with more (supported) 8 length keys. The different behaviour of web, mobile vs desktop is what I see here. View of web and mobile works perfectly fine with it, but desktop apps cut off the first 2 fields:


    (Rightclick and open in new window. Already censored.)

  • brentybrenty

    Team Member

    @sebish: Ohhhh gotcha. Sorry for misunderstanding. I have totally locked myself out of my Blizzard account before, because the physical authenticator dealie (back when those were a thing) just died. I would love to be able to use 1Password for this and have it across multiple devices as a backup option...but only if it's supported and reliable, as otherwise I'm back to square one.

    The thing is, we're using the same code for this across all the apps, so that it isn't behaving the same in all cases is due to something else entirely. So my thinking is it may even be specific to the string you're currently using, or just the way it's formatted. Seriously, if you'd be willing to donate it "for science" and send it over after invalidating it, I'll be happy to test it to see if we can learn something. Just email [email protected] and mention me -- brenty -- with link to this thread for context, and I'll take a look. :)

Leave a Comment

BoldItalicStrikethroughOrdered listUnordered list
Emoji
Image
Align leftAlign centerAlign rightToggle HTML viewToggle full pageToggle lights
Drop image/file