Issues with Hexonet's 2FA system

richardevs
richardevs
Community Member
edited July 2017 in 1Password in the Browser

I don't know if it is a problem of Hexonet or 1Password, but since I move all my 2FA tokens from Authy to 1Password, I have been having problems with Hexonet's login as every time it seems to be mismatching the actual 2FA token, and return password error.

I contact Hexonet's team to try and fix this issue but yet it happened again, absolutely correct username and password but as soon as I activate 2FA token, it will success on the first few try, and then failed the rest.

I'm thinking about some time sync issue but since my computer time sync is working perfectly, I can't think of what the reason will be here.


1Password Version: Not Provided
Extension Version: Not Provided
OS Version: Not Provided
Sync Type: Not Provided

Comments

  • matthew_ag
    matthew_ag
    1Password Alumni

    Hey @richardevs,

    Thanks for writing into us about this unusual issue. I have signed up for a test account with Hexonet and have enabled 2FA to try it out myself. I tested with 1Password for Mac 6.8 and was able to sign out and back in again 4 times using different one time passwords successfully.

    As you say this might be a timing thing. The OTP codes change every 30 seconds, the next time it happens please take a look at the Login item within the main 1Password application and see if you happened to try logging in around the time that the OTP code changed. If so then it should work with the next OTP code on your the next attempt.

    If you see that the OTP code still has a long time left in it's 30-second life span and still isn't working then there's something else wrong. Do let me know if this sounds more like the issue. In this case, I'd be curious to hear how long after you set up the 2FA that this begins happening - hours, days, weeks?

    Looking forward to hearing back.

    Best regards,
    Matthew

  • richardevs
    richardevs
    Community Member

    If you see that the OTP code still has a long time left in it's 30-second life span and still isn't working then there's something else wrong. Do let me know if this sounds more like the issue. In this case, I'd be curious to hear how long after you set up the 2FA that this begins happening - hours, days, weeks?

    Yes that is the case I'm trying to make and also reported to Hexonet's tech team.

    About 12 hours later. I import my OTP code by copying the QR code and import by clipboard.

  • richardevs
    richardevs
    Community Member
    edited July 2017

    Also I should mention I'm using their brand new 3.0 panel. But the old panel have the same issue for me too, so.

  • matthew_ag
    matthew_ag
    1Password Alumni

    Hey @richardevs,

    I just tried logging in again and my OTP code worked using 1Password for Mac 6.8, it's been a little over 24-hours since I enabled my Login item with the QR code for 2FA. Perhaps we're using different versions of the 1Password app.

    I originally created my Login item using the 1Password for Mac app. My Login item syncs to my Windows computer which us running 1Password for Windows 6.7.442. When I try logging in with the Windows app it also produces a working OTP code for me.

    If you can let me know which version of 1Password you used to create the Login item it might be the difference. You can check what version of 1Password you're running by following this guide:

    https://support.1password.com/cs/version/

    Best regards,
    Matthew

  • richardevs
    richardevs
    Community Member

    Howdy @matthew_ag ,

    I use the 1Password 6.7.442, Windows Beta.

  • AGAlumB
    AGAlumB
    1Password Alumni

    @richardevs: I'm not seeing a discrepancy between TOTP code generated by 1Password 6 on Windows and other versions. Since it's time-based, it usually something as simple as a difference between the date/time/zone settings on different devices. That's not to say that time synchronization isn't working on your PC (though that's certainly a possibility), but it isn't uncommon to see time drift or delay in synchronization on some devices, especially those which are not receiving fairly regular updates from cell towers. For example, I've seen a lot of cases where Wi-Fi-only tablets need to have their date/time/zone manually set for the codes to be correct. Let me know what you find!

  • richardevs
    richardevs
    Community Member
    edited July 2017

    @brenty Howdy, I tried to activate my 2FA authentication again and this is a copy of my ticket sent to Hexonet's team, which yet have not been replied:

    Howdy,

    I tried to activate my 2FA again and this time I specifically look into the log Hexonet
    provided.

    [removed sensitive account information — this is a public forum]

    This time instead of scanning the QR code, I type in the secret key in 1Password to make
    sure things are right, but still, Hexonet returns an error message.

    I notice that Hexonet use UTC as system time and I use UTC +9 cause I'm in Japan, is that
    the problem after all?

  • AGAlumB
    AGAlumB
    1Password Alumni
    edited July 2017

    @richardevs: Thanks for getting back to me! I'm not really familiar with Hexonet, so I'm not sure. Generally date/time is only displayed according to your settings, but under the hood it's all UTC. However, it's possible that they're doing something differently on their end — or that there's just a time discrepancy. Do you have a link where I can easily sign up for an account? I'd be happy to test that myself if that's possible. :)

    P.S: It looks like you may have posted your actual TOTP secret above (and perhaps sent it insecurely to Hexonet support as well). If that's the case, please have them help you generate a new TOTP secret for your security.

  • richardevs
    richardevs
    Community Member

    @brenty Howdy,

    Hexonet's Team replied at the same time, what a coincidence, lol. ( They're just telling me they have forwarded it to backend team)

    Here's the link for you : https://www.hexonet.net/sign-up

    And yes, that is an actual TOTP that has nothing to do with any of my account since the activation failed at that point.
    My Hexonet account will not have any TOTP measures until they solved this issue, or else I will be locking myself out every darn time.

  • AGAlumB
    AGAlumB
    1Password Alumni

    @richardevs: Oh. Duh. That makes sense. Thank you very much!

    Sorry for the delay, but I had a heck of a time just getting their signup forms to work. Turns out, Safari doesn't work so well there, and they've set a maximum password length of 16...

    Anyway, I was able to get signed up in Chrome and setup TOTP. It worked just fine with the QR code, but I also saved the TOTP secret separately just to verify that it generated the same as the QR code. I also tried both using IPs in both Japan and the US just to see if that made any difference. I'm really leaning to something with your configuration. Are you able to reproduce the same issue on another device? If you haven't already, try setting your date/time to the correct values manually instead of relying on the automatic update. That often is less reliable without a constant cellular connection.

  • richardevs
    richardevs
    Community Member
    edited September 2017

    @brenty Howdy, it's been a while since this problem occur and I think I have found the core issue.

    I flied to China last month and then came back to Japan, when I sync my computer time with time.windows.com ( default settings ), it somehow got me to GMT +8, but it is obviously choosing the GMT +9 timezone. I find it strange and change the sync server to time.nist.gov, it solves the time issue and also fix the 1Password TOTP problem with Hexonet. So after all, it should be a computer misconfiguration, got rekt by time.windows.com server.

  • jxpx777
    jxpx777
    1Password Alumni

    Ah, that's interesting, @richardevs. Yes, you're right that those TOTP relies on the clocks of the local computer and the server to be fairly close in their times since the current time is used to generate those one-time codes. The TOTP spec says the server should accept more than just the current generated value (usually the current one and one on either side of the current time) but that certainly doesn't help if the times are out of sync by an hour. I'm glad you were able to narrow down the cause of the issue!

This discussion has been closed.