TOTP URI Parsing issue

This was not a show stopper, however I think it might be an unintentional behavior in how 1Password is parsing the TOTP URI from QRs / pasted in URIs.

In setting up OTP (using TOTP) with FreeIPA v. 4.1.4 I kept experiencing problems with 1Password's scan of the QR code (it would create a URI, but the TOTP would not work). I tried pasting the URL manually and experienced the same thing -- so I experimented with removing different parameters from the URL (since many were "defaults" and not necessary to the URL). I was able to make it work if I removed the algorithm parameter and it's value from the URL.

Out of curiosity I noticed that FreeIPA is sending algorithms in lowercase, not uppercase (like some implementations of TOTP seem to expect, I'm not 100% certain if the RFC spec requires upper/lower or is case insensitive). I was able to get 1Password to work successfully when I changed the algorithm parameter's value to uppercase (i.e. &algorithm=SHA256 instead of &algorithm=sha256 ).

If it's not a violation of the RFC spec, it might make 1Password's TOTP more compatible to not be case-sensitive about fields where case isn't really relevant anyways.

Either way, I love the product and keep telling friends and co-workers about it!


1Password Version: 5.3
Extension Version: Not Provided
OS Version: OS X 10.10.3
Sync Type: Not Provided

Comments

  • Hi @stewgoin,

    I've seen TOTP URIs with the issuer parameter but I've not come across ones before with an algorithm parameter. I'm surprised as I don't think the specs allow for a configurable algorithm so not entirely sure what use that would have in a TOTP code.

    It doesn't have to be via the forums if you don't feel comfortable at all but I would be interested in seeing a couple of real examples of the full URI. By this I mean the URI would be generated by whatever system is generating them but then discarded so the secret is definitely not in use (for the obvious reasons) and if a username is identifiable at all it too could be changed. By way of example.

    otpauth://totp/KiwiVM:VEID:146489?secret=5JGEK6V7XVHP3FO4&issuer=KiwiVM

    The ID part, VEID isn't the real one, it's a meaningless number of digits just in case the VEID did reveal something about the account and the secret isn't in use.

    I ask because I'm intrigued to see what is being generated but it seems I would have to set up FreeIPA to do so. I figure this might be a lot quicker to investigate with an example of two if you're willing. As I say, if you don't feel comfortable doing this in the forums just let us know and we'll take it to email :smile:

  • Sure! Here are some examples (one for each algorithm in FreeIPA, fake ID portion for a test account):

    otpauth://totp/[email protected]:sha1?digits=6&secret=ZO5MOJSCJTRNOHMDAWQWS3UBEKQ2DUUJ&period=60&algorithm=sha1&issuer=test%40FAKE.COM

    otpauth://totp/[email protected]:sha256?digits=8&secret=Q5DJTSNL653EMGHCQTMHTR4CEP76AEYR&period=30&algorithm=sha256&issuer=test%40FAKE.COM

    otpauth://totp/[email protected]:0b04b8a9-2eb4-40b6-8689-a82d133f83ef?digits=6&secret=RWWJ2V7CN2DJUZA53NMNNO5HIMMJCTXX&period=30&algorithm=sha384&issuer=test%40FAKE.COM

    otpauth://totp/[email protected]:31ff7daa-186f-45f0-9434-371451787dd6?digits=8&secret=VIP4HYGETMLBRSTKMIZWHEV7FWY5MV2J&period=30&algorithm=sha512&issuer=test%40FAKE.COM

  • That's fantastic @stewgoin,

    I'll test those and report back as soon as I can.

This discussion has been closed.