1Password for Mac sometimes generates invalid One Time Codes

I have experienced a few occasions where the one time codes being generated by 1Password for Mac have been incorrect. I verified that the secret, which is stored as an otpauth:// URI, is correct. I was able to use the secret in it to successfully setup google authenticator to generate valid codes. I was also getting valid codes from 1Password on my iPhone. This indicates that it may have been a problem with the clock, but my Mac's clock was always showing the correct time.

However, the problem is not persistent. Even though it was generating invalid codes for several minutes, as I was comparing with the apps on my phone, at some point it started generating valid codes again.

This is the second time I have noticed this issue within a week for 2 different sites.


1Password Version: 6.8.3
Extension Version: Not Provided
OS Version: macOS 10.13
Sync Type: Dropbox

Comments

  • brentybrenty

    Team Member

    @Lachy: 1Password doesn't decide the codes. These codes are generated using the date/time on your device, so if that is out of sync with your other devices and/or the server you're trying to authenticate with it might not work (though there is usually some leeway given by the server). This is most common on Wi-Fi-only devices, since cell connections synchronize the time more consistently. In some cases the only fix is to set the time manually.

  • I know exactly how TOTP works. My computer's clock was correct. The secret stored in my one password vault was and is correct. But 1Password was still reporting incorrect codes for at least 5 minutes as I was comparing with codes from Authy and Google Authenticator using the same token. There is a bug in 1Password that I've now experienced on two separate occasions, but I don't yet know how to reliably reproduce it.

  • brentybrenty

    Team Member

    I know exactly how TOTP works.

    @Lachy: I wasn't suggesting you don't. This is a public forum, so I have to consider that others might have similar questions. :)

    My computer's clock was correct. The secret stored in my one password vault was and is correct. But 1Password was still reporting incorrect codes for at least 5 minutes as I was comparing with codes from Authy and Google Authenticator using the same token.

    Can you show me an example of the TOTP secret you're using? Maybe it's in a non-standard format. Just definitely don't post the actual secret here. In the past we've had bugs where 1Password was not rejecting invalid TOTP strings and would treat anything like a TOTP secret, so it's possible that yours is but was saved before we added more checks for that.

    There is a bug in 1Password that I've now experienced on two separate occasions, but I don't yet know how to reliably reproduce it.

    If there's a bug in 1Password's TOTP implementation, it would be affecting other users — and also affecting both your Mac and iOS devices, as we're using the same code in each.

    Please, please just try manually setting the time on each device. I suspect you'll find that the codes match up exactly then, as it has in my own testing and for other users who suggested this in the first place and helped many. :blush:

  • I've experienced it with two different services. These are their otpauth URIs.

    otpauth://totp/Bitbucket:username?secret=XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX&issuer=Bitbucket
    otpauth://totp/[email protected]?secret=XXXXXXXXXXXXXXXX

    As I said, most of the time, the one time codes are correct. It just seems to sometimes possibly be calculating based on an incorrect timestamp, even though the clock is correct. Next time it occurs, I'll make sure to record the actual timestamps and then I can manually calculate the OTP codes for a few hours before and figure out what time it may be using. I will also try to take a screenshot with Authy and 1Password showing distinct codes at the same time.

  • LarsLars Junior Member

    Team Member

    Sounds good, @Lachy -- let us know what you discover.

This discussion has been closed.