OTP and DigitalOcean - barcode can't be scanned

fongdfongd Junior Member

Hi,

I'm trying to set up 2FA with DigitalOcean, but 1Password's QR scanner is not recognizing the barcode DO is offering. No matter how large (or small) I make the barcode scanner window, 1Password simply doesn't acknowledge the presence of the barcode. I can't drag and drop the barcode image to the scanner window because of the way the image is embedded on DO's page.

Any tips I can try here?


1Password Version: 6.5.BETA-24 (650024)
Extension Version: 4.6.1
OS Version: 10.12.1
Sync Type: iCloud

Comments

  • fongdfongd Junior Member

    For what it's worth, I was able to scan the barcode with the 1Password app on my iPhone, but although DO accepted the challenge to complete the OTP setup, when I subsequently logged out and logged back in, DO rejected the OTP token that was generated.

  • rudyrudy

    Team Member

    @fongd,

    are they giving you a TOTP code or a HOTP code in that QR code? 1P does support TOTP, but does not support HOTP.

    A coming 6.5 beta will start to reject those HOTP codes until we are able to implement the necessary UI elements to support them.

    Rudy

  • fongdfongd Junior Member

    @rudy,

    Sorry, I don't know the difference between HOTP and TOTP so I couldn't tell you! :(

    But something else strange is happening aside from this. cPanel's server management suite now offers 2FA for account logins so I tried enabling it on a new server I just set up. As happened with the DigitalOcean QR code, 1Password was unable to scan it. But since cPanel provides a code I can use instead, I was able to use that with 1Password. So far, so good. Logged out and tested the 2FA, and it worked without issue.

    Later, I renamed the server (so its domain name changed). cPanel was no longer accepting 1Password's tokens, which I attributed to the server's domain name change, so I removed the 2FA configuration from both 1Password and the cPanel server to reset things. I went through the same motions as previously—manually enter the code that cPanel gives me to put into 1Password, then paste the 6-digit PIN that 1Password gives me. Now, no matter what I try, cPanel will not accept the PIN. I haven't tried with a new 1Password entry as yet but I'd hate to have to do that (and if this is indeed what I have to do, I guess it's a bug that should be fixed?).

    Any ideas what might be causing this? I've never had trouble with 2FA before, but I've stumbled upon two (edge?) cases within the last 24 hours! :(

  • rudyrudy

    Team Member

    Hi @fongd,

    HOTP is a predecessor to TOTP. It is an event driven one time password, where as TOTP is a time based one. I think things like blizzard.net hardware tokens are considered HOTP.

    I don't want to ask too many details about what your QR code looks like because that would unnecessarily reveal more than you'd want to reveal. But, could you describe the form of what you manually typed in? 1Password is expecting a url with an indicator of algorithm (totp in this case) and a seed value to supply to the generator. If you're just typing in an existing generated 6 digit code then that's definitely going to fail to generate a synchronized code for you to supply back to your server's 2FA prompt.

    regarding scanning the DigitalOcean QR code, I assume you're dragging the scanning window over the code in a web browser? what happens if you take a screenshot of that code and then drag & drop the file onto the scanning window? I only ask that because sometimes the zoom level of a given QR code fails to detect sometimes when scanned with our screen scraping implementation. It will fail at 100% zoom, but at 107% it is able to detect it for some reason.

    I've been working on a couple improvements around the QR code scanning that I'm hoping to get into the beta chain soon that should hopefully make it more clear if the scanning failure is because it can't scan the QR code or if the QR code itself contains data that isn't what we're looking for. Its certainly possible that while its data is valid, what we're expecting it to be to seed our generator isn't.

    Rudy

  • fongdfongd Junior Member

    Hi @rudy,

    I determined the DO 2FA QR code is TOTP—I discovered that if I mouse over the QR code, I get the actual code itself with a TOTP prefix in the mouseover tooltip. I tried resizing the QR code smaller and bigger underneath the barcode scanner but nothing worked. However, when I entered the (thankfully) short code I obtained while mousing over the QR code on DO's site, 1Password recognized it and I was able to complete the 2FA enrolment. Subsequently logging out and logging back into my DO account confirmed that the 2FA code generated by 1Password works.

    So there's definitely something amiss with scanning the QR code because manual entry seems to work fine.

  • rudyrudy

    Team Member

    hi @fongd,

    yeah, its a 3rd party library that we're using to back that scanner on the Mac, which is why it behaves differently than iOS where we're able to use apple's machine code recognizer to process the image with. I'd love to dump the 3rd party library and use apple's code but it isn't avail be on the Mac yet.

    Rudy

This discussion has been closed.