Dropbox OTP not working

I have set up Drobox's two-step verification successfully in 1Password (scanned in QR code, entered received code - all OK). However after logging out of Dropbox (web), and back in again the OTP that 1Password is generating is not working. I deleted the OTP field from 1Password and setup again, but the problem remains.

I then switched the OTP generation to Authy. Authy works every time.

Any help would be appreciated.


1Password Version: 4.5.0.575 Windows. 5.4.2 iOS
Extension Version: 4.3.1.90
OS Version: Windows 8, iOS 8.
Sync Type: Not Provided

Comments

  • littlebobbytables
    littlebobbytables
    1Password Alumni

    Hi @alanper,

    I haven't had any troubles using Dropbox TOTP in 1Password so it is definitely usable. It seems we need to figure out why it doesn't for you.

    Just so I can ensure I'm reproducing the same steps, you scanned the QR code in 1Password for iOS and were you reading the code from 1Password for Windows or did everything involving the TOTP code happen in 1Password for iOS?

  • alanper
    alanper
    Community Member

    I set up the OTP using iOS, and then used the Chrome extension to copy and paste the OTP into the Dropbox OTP window. The weird thing is that I do get a valid code from 1Password as after scanning in the QR code, Dropbox ask you to enter the OTP for the first time. Thereafter the 1Password generated OTPs fail.

    I discovered some additional info that could help the troubleshooting. The OTP generated by the 1Password Windows application, and Chrome extension is the same (I presume through the 1Password Helper). The iOS 1Passsword Dropbox OTP is different. The iOS Dropbox OTP works. The Windows/Chrome OTP does not.

  • littlebobbytables
    littlebobbytables
    1Password Alumni

    Hi @alanper,

    Given that both Authy and 1Password for iOS are generating valid TOTP codes I wonder if the issue is the time clock on your Windows machine. It it was significantly out compared to your iOS device that would be one reason why it's failing. Could you do a quick check please and make sure the time clock is in sync with your iOS device.

    If it isn't we'll need to look elsewhere but it's best to tick this possibility off the list first :smile:

  • alanper
    alanper
    Community Member

    Yep, the clocks are in sync (within 60 seconds of each other). It may be worthwhile to note that my Gmail OTPs are being generated correctly by Windows/Chrome. It is only the Dropbox OTP that is giving me the problem.

  • littlebobbytables
    littlebobbytables
    1Password Alumni

    Hi @alanper,

    So I have a bit of a request, which of course you are free to say no to but I'm hoping if we can reproduce the issue it will help us understand what is happening. I'd like to help you replace your current TOTP secret with a new one so that you're free to safely show us the old and misbehaving secret.

    1. Edit your Dropbox Login item in 1Password for iOS to show the full field.
    2. Use the standard iOS techniques to copy the contents of the field to the iOS clipboard and paste somewhere temporary, such as in the Notes app.
    3. Return to 1Password on your iOS device and cancel editing mode if you haven't already.
    4. Log into your Dropbox account on your Windows machine (hence needing to leave edit mode in 1Password for iOS).
    5. Enter Dropbox's Settings and then switch to the Security tab.
    6. Click on the Edit link next to where it says Authenticator app for Two-step verification.
    7. Follow the steps to generate a new TOTP secret and recovery code and save these in 1Password for iOS as you did before.

    Now what you might find is that this new secret works in both 1Password for iOS and 1Password for Windows as it isn't as black and white as TOTP not working in 1Password for Windows. The real goal for all of this though has been to replace the secret that seems to be generating different codes on the two platforms. With this secret now discontinued, revealing it won't have the same security implications as it would have if it was active.

    Now the Dropbox otpauth URI contains your email address which of course you don't want to display so you could change that small section to something else like email_address@example.org. Now if you don't object to showing us the old code but are uncomfortable doing so in the forums that's fine, you could email it to us at support@agilebits.com with a link to this thread or if you don't object you can post it here. My suspicion is something odd may be happening with certain strings and an example of a real code showing this may help us isolate the issue and allow the developer to identify the cause precisely.

    You may not be comfortable with any of that and of course that's your prerogative. It will make isolating the issue trickier as we need to bring concrete data to the devs. I'm sure you can understand that isn't an unreasonable request of them to make to the support staff as us causing wild goose chases is a bad use of their time. Either way, let us know what you think :smile:

  • alanper
    alanper
    Community Member

    I have 1Password installed on my home PC, and on my notebook. Both running Windows 8.1.
    I have discovered that my home PC Dropbox OTP generation works flawlessly (and is generating the same code as my iOS 1Password). My notebook Dropbox OTP is not working (and is not generating the same Dropbox OTP as my home PC/iOS 1Password). I tried un-installing, and re-installing on my notebook but still no change.

    From this I guess it is not an OS issue, but something that is exclusively happening on my notebook. When I un-installed from my notebook I did the usual add/remove program routine. Is there another (more comprehensive) way to un-install/re-install?

    If you still want me to go through the steps listed above let me know. However as my home Windows PC is working (and therefore is not necessarily an OS issue) my take on it is that it is probably no longer necessary.

  • littlebobbytables
    littlebobbytables
    1Password Alumni

    Hi @alanper,

    Well we've at least eliminated the possibility of a significant issue in our TOTP generation on Windows if 1Password for Windows is working on one machine and produces the same codes as your iOS device. You're right, there seems no need at all to go through any of the suggested steps now.

    Given we've narrowed it down to a single machine it might be worth uninstalling 1Password for Windows using the uninstaller you should find in the Start Menu (or whatever 8.1 has - sorry, I've avoided that version completely) and then downloading a fresh copy from our AgileBits Download page.

    After installing a fresh copy and re-opening your .agilekeychain for the first time does it still display incorrect TOTP codes compared to your iOS or home PC?

  • alanper
    alanper
    Community Member

    I used the Windows uninstall routine and removed 1Password from my notebook. I downloaded the latest version and installed. The problem however persists. Could you let me know what the TOTP is based on. That way I can do more "educated" troubleshooting.

  • littlebobbytables
    littlebobbytables
    1Password Alumni

    Hi @alanper,

    One component TOTP uses is the shared secret that both you and the server know. In 1Password for Windows you can see this shared secret, rather than the current code, by editing the item from within the main 1Password window. It will have its own little section above the web form details box at the bottom of the edit window and the contents will look a little something like this

    otpauth://totp/Dropbox:email@address.com?secret=RJK7HXYJTU52UZJCW34AG&issuer=Dropbox

    The secret is the key part and should be in Base32 encoding.

    The other factor in a TOTP code is the current timestamp and that's it. The calculation can be found in RFC 6238

    TOTP = Truncate(HMAC-SHA-1(K,T))

    where K is your shared secret and T = (Current Unix time - T0) / 30 as TOTP uses a 30 second step.

    Dropbox sync seems to be working given all of your other devices are showing no issue which is why I asked to check the time clock - that's usually the cause.

This discussion has been closed.