To protect your privacy: email us with billing or account questions instead of posting here.

TOTP Off

prime
prime
Community Member

I have no idea how to start this. I added 1 Password X on Vivaldi and it said my TOTP was wrong. So I freaked out a little. I got it from 1Password for Windows (on the same computer), and I haven't changed it for a long time. So I have DUO on my iPhone and iPad, and I got in. I figured I'll just re-enter the code I saved for the TOTP, and what I have saved in 1Password is off still from Duo.

So I turned off 2 step from my 1Password account. I re-enabled it used the QR code for Duo, and saved the code for my 1Password login (part of the welcome kit).

All my apps asked for the TOTP, and it will wasn't working from what was showing still. I opened Duo again, and again it was a different number.

The 1Password.com is showing different than Duo again.


1Password Version: Not Provided
Extension Version: Not Provided
OS Version: Not Provided
Sync Type: Not Provided

«1

Comments

  • prime
    prime
    Community Member

    Update:
    I disabled it again. This time I used the QR code on DUO and my login for my 1Password account so they BOTH came from the SAME QR code...
    They are still different

  • prime
    prime
    Community Member

    Update #3
    I am see that the time is off
    Duo is slow, but works. Right now the 6 code are the same but Duo has 29 seconds left while 1Passwords' TOTP in my login is 4 seconds for the same 6 digit code.

  • prime
    prime
    Community Member
    edited June 2019

    Update 4
    So I logged into safari on my iPad like it was new

    I waited until duo and 1Password app had the same 6 digit code. I waited until the TOTP in 1Password changed (changed 1st before Duo), waited 3 seconds, and used the code that was in Duo, and I got in. If this makes sense.
    Edit:
    I checked for updates for 1Password in the iOS App Store and no updates, so I am on the current one.

  • ag_ana
    ag_ana
    1Password Alumni

    Hi @prime,

    I don't believe you have mentioned this: where are you using 1Password? is it on the same mobile device where you are using Duo?

  • prime
    prime
    Community Member

    @ag_ana I am using it on the same device as Duo. But I see the TOTP off on everything, including when I sign into 1Paassword.com. At 1st I thought my computer’s time was off, because I know they does affect it if it’s too far off.

    I forgot to add, it seems like last night the 2 (duo and 1Password) caught up for a while and were in-synced, but they are off again.

  • @prime : are you using Duo as a TOTP app? I've never actually done that before, didn't know that that was possible.

    Our TOTP QR code contains a URL that looks like this:
    otpauth://totp/1Password:agilebits.1password.com?secret=OT2U2RSBOCIGJHRA&issuer=1Password&skid=9CB78F (no that isn't a real one :P )

    I find it fascinating that 1Password and Duo could be disagreeing about the value here on the same device, since we aren't using any options like period that could change things.

    Would it be possible for you to check our different apps to see if they agree on the value? You said that the Duo value was accepted but that 1Password's value wasn't. That's interesting because all of our apps use the exact same code (yay cross-platform code!) for TOTP generation and validation. This includes our server.

    Something that you could try, just for kicks to see if it makes a difference... is to modify the TOTP secret's value to remove everything but the secret itself (OT2U2RSBOCIGJHRA in my example above). We're using default options for everything so the rest shouldn't matter. I wonder if maybe there's something funky with your URL that's causing our app to mis-interpret something.

    I'm super curious to find out what's going on here.

    Rick

  • prime
    prime
    Community Member

    @rickfillion yes, using Duo as a TOTP app to get into my 1Password account. I also download the Google Authentication app too when I was testing, and that was off. I’ve never had an issue, everything use to by synced up great until this happened.

  • I wonder if Duo maybe uses server time and not the local time. Did Google Authenticator agree with 1Password?

    It's not the end of the world if they disagree slightly because nearly every implementation of TOTP validation (ours included) will accept the previous, current and next values to make up for the fact that clocks can differ slightly. But you said that it actually rejected your value when you used it which has me puzzled.

    Rick

  • prime
    prime
    Community Member

    @rickfillion all 3 were odd, and only buy seconds. So for a few seconds, they were all the same. The counter is also not the same too. When 1 was 30 seconds, the other was at 14, and the 3rd was about let’s say 10. So it’s not like they were a full cycle off, it was part of the cycle that they were off for a bit. Then eventually they were all in-synced, then slowly went off again. It’s like they were all 1/10 of second off and that threw it off.

  • Suuuuper bizarre. With default options, the period is 30 seconds. So at the top of every minute and at the mid-way point of every minute they're supposed to switch. Assuming that all 3 were getting local time, I can't explain how that'd happen unless they were all interpreting the URL differently and somehow reading a non-default period value.

    Did you try using just the secret value in all 3 to see if it makes a difference?

    Rick

  • XIII
    XIII
    Community Member

    I also noticed that Duo and 1Password are not in sync.

    They behave differently; Duo always seems to start at 30 seconds, counting down, whenever you view a code, while 1Password starts somewhere between 1 and 30 (but not always at 30).

  • My understanding is that TOTP generation is supposed to be based on the time of day, rather than the time you access the credential. I'll try to get confirmation of the correct behavior, and see if we're doing it.

    Ben

  • prime
    prime
    Community Member

    @XIII how off is yours? Have you tried Google Authenticator? It’s strange because they are seconds off. If it was a time zone issue, it would be cycles off, but all same time wise (all 3 would be at the :15 second mark, just different codes, if that makes sense).

  • Duo always seems to start at 30 seconds, counting down, whenever you view a code, while 1Password starts somewhere between 1 and 30

    That's likely part of the problem then. Ben's correct that it's based on time of day and not from when you access it.

    If you think about it, this makes sense because the other device that checks this value (the server) doesn't know when you started looking at the value.

    Rick

  • prime
    prime
    Community Member

    @rickfillion I have this issue with Google Authenticator as well.

    When testing it, Duo always got me in. 1st noticed the issue when I went off of the TOTP in 1Password.

  • I suspect that your clock is something like 45-60 seconds fast or slow as compared to our servers then. Just enough to be at the barrier of when you could get locally would differ from what our server calculates, but not always.

    Rick

  • prime
    prime
    Community Member

    @rickfillion
    When I signed into 1Password X I have the desk top on the same computer, and the extension for the desk top as well already on that browser. So I just autofilled stuff and that’s when the TOTP did not work. I grabbed my phone and that’s noticed the code was different in Duo. I put in the code from Duo and got in.

    My work computer is constantly 5 mins off and all TOTP works no issues.

  • XIII
    XIII
    Community Member

    If you think about it, this makes sense because the other device that checks this value (the server) doesn't know when you started looking at the value.

    Indeed.

  • prime
    prime
    Community Member

    Ok, let’s leave any other Authenticator out. The one in 1Password should have worked when it auto filled. It didn’t. That’s the main issue here.

  • Now you've got me reading RFCs, which is always fun. :) (https://tools.ietf.org/html/rfc6238#section-6)

    My work computer is constantly 5 mins off and all TOTP works no issues.

    This may depend on how the server does the validation and synchronization as described in the linked section of the RFC above.

    Can you confirm that the service you had reject you was our own 1Password.com as opposed to another service?

    Rick

  • prime
    prime
    Community Member

    @rickfillion I was logging into 1Password.com (to activate 1Password x) when this happened. I have the desk top for windows on the same computer and I had the extension on the same browser (why I was able to auto fill the info). When the TOTP didn’t work. I manually typed the number from the desk top. Still didn’t work.

  • @prime : and when it did work, it was cause you used the numbers from Duo on your phone?

    Rick

  • prime
    prime
    Community Member

    @rickfillion that is correct.

  • @prime : and this desktop is the one that you describe as "My work computer is constantly 5 mins off and all TOTP works no issues."?

    I wonder if maybe the issue here is that our server is simply more strict than the vast majority of servers out there. Either more strict, or simpler in how it handles (or doesn't handle) clock skew.

    If a device is 5 minutes off, I don't see any way that our server would allow its TOTP. This is a particularly frustrating experience for you the user if you're using a code generated by our app on the same device.

    Rick

  • prime
    prime
    Community Member

    @rickfillion nope. This is my personal laptop. The time is identical to my iPhone and iPad (to the second).

  • That wasn't the answer I was looking for, @prime! :smile:

    I'm currently out of theories in that case.

    Rick

  • prime
    prime
    Community Member

    Ask away. I did a lot of testing :lol:

    Not sure if you saw, I even turned off 2FA and turned it back on. I did this 3 times (not fun :lol: ) to make sure I wasn’t doing something wrong. At one point, I had all 3 Authenticators taking the picture of the QR code to make sure there was no humor error with copying and pasting the code (that code to use in case you can’t use the QR code).

  • AGAlumB
    AGAlumB
    1Password Alumni

    @prime: It sounds like maybe Duo is doing something non-standard with regard to always starting at a 30 second countdown (which would only be accurate 1/30th of the time)...but I also wonder if they're using their time as opposed to your device's. A number of authenticator apps do that I think. I know for sure Authy does. So, for example, unless your device date/time/zone happens to match Authy's exactly (I guess they handle this on their server), 1Password (or any other app generating codes based on device clock) won't match it. Have you tried setting your device clock settings manually?

    https://time.is

    That may not agree with Duo, Authy, etc., but then at least 1Password will generate the correct TOTP codes.

    We don't have control over how other apps do this, and it bothers me most that Duo would have had to generate a correct code for you to confirm to even setup TOTP for the account, yet is isn't doing that consistently afterward. I haven't seen other reports like this though. Confusing, to say the least.

  • prime
    prime
    Community Member
    edited June 2019

    @brenty

    but then at least 1Password will generate the correct TOTP codes.

    But that’s the point, it didn’t. That’s my whole issue. The one from 1Password would not work. Even after starting 2FA over 3 more times. Duo was what got me in, the code generated from it.

  • AGAlumB
    AGAlumB
    1Password Alumni

    @prime: Thanks for clarifying. What I'm saying is that 1Password cannot generate valid TOTP codes without the device time/date/zone settings being correct though. That's why I suggested setting it manually: https://time.is

This discussion has been closed.