Support for arbitrary-length One-Time Passwords

2»

Comments

  • AGAlumB
    AGAlumB
    1Password Alumni

    :) :+1:

  • svondutch
    svondutch
    1Password Alumni
    edited August 2017

    @rmpel Fixed in version 4.6.2.626

  • rmpel
    rmpel
    Community Member

    Super! We'll check it out as soon as we can update to 626 (625 now and 1P says it's the latest). Thanks for the notification!

  • @rmpel 626 isn't out yet, but @svondutch has been super busy if my e-mail notifications are any indication, so you should have a number of tweaks and fixes to look forward to when it's ready to head out the door. :chuffed:

  • rmpel
    rmpel
    Community Member

    Just updated to 626, works perfectly! Thank you!

  • On behalf of the team, you're welcome.

  • sebish
    sebish
    Community Member
    edited June 2019

    Hi all,

    first of all thanks for the great support and listening to the users here!

    As I understood, this issue with length 8 2FA has been fixed some time (years) ago. Now I added my Blizzard 2FA to 1Password (kind of hacky process) and that works. I got locked out of my account there after the last mobile exchange and that sucked, so I definitely want to have in 1password.

    So this is generally working, but: The code must be length 8 and in the application for Windows and Mac (tested both), I do only get shown the last 6 digits of the code. On the website (1password.com) it does show all 8 digits as desired.

    Are you aware of that issue? Did I get something wrong? Has the fix never been merged into the desktop apps?

    I can tell that the code is working and correct in the desktop apps too, since the shown 6 fields are always identically to the last 6 fields in the code. For me as user it looks like the desktop apps are cutting off the first 2 fields, because they always show 6.

    Best regards

  • sebish
    sebish
    Community Member

    Hi all,

    first of all thanks for the great support and listening to the users here!

    As I understood, this issue with length 8 2FA has been fixed some time (years) ago. Now I added my Blizzard 2FA to 1Password (kind of hacky process) and that works. I got locked out of my account there after the last mobile exchange and that sucked.

    So this is generally working, but: The code must be length 8 and in the application for Windows and Mac (tested both), I do only get shown the last 6 digits of the code. On the website (1password.com) it does show all 8 digits as desired.

    Are you aware of that issue? Did I get something wrong? Has the fix never been merged into the desktop apps?
    I can tell that the code is working and correct in the desktop apps too, since the shown 6 fields are always identically to the last 6 fields in the code.

    Best regards

  • AGAlumB
    AGAlumB
    1Password Alumni

    @sebish: Thanks for reaching out. There's some confusion, as 1Password supports the TOTP standard. Blizzard uses something else. So you didn't do anything wrong, but 1Password is the wrong tool for the job in this case. it will work for things like Dropbox, Twitter, Google, Facebook, and more recently PayPal (among many more others than I can name off the top of my head), which all use the TOTP standard. But it will not work with things that don't use TOTP.

    On a side note, I'd definitely recommend against using any "hacky process" to setup two-factor authentication. Even if it works, if it's unsupported by the service, it could break at any time and get you locked out. For a long while PayPal did not support TOTP officially, and people were finding ways to work around that. It's much safer now that they officially support it -- not in terms of security, but being able to rely on it working on an ongoing basis.

  • sebish
    sebish
    Community Member

    Thank you for your quick and detailed response!

    I generally fully agree to what you say. But did you read that it is already working in 1password?

    The same Password Entry is shown with 6 digits in desktop apps and 8 digits in 1password website. So even by respecting your concerns: Why not patching this functionality to the apps too? The length 8 code shown on the website password.com does work. I guess it could desync after time, but this is not likely? Why does the code from 1password work when blizzard uses a different protocol?

    Of course you do not have to teach me that. If this is the expected behaviour, it is fine. I am just curious why it works in the webapp, but not desktop.

    (!) Edit1: I just recognized that it is working in webapp and mobile app too! So the support for showing length 8 codes seems to be missing only in the desktop apps.

    Actually this is already good enough for me. So the remaining question would be, why the desktop apps show a working length 8 code as length 6 (what breaks it of course) while mobile app and webapp show it correctly as length 8?

  • AGAlumB
    AGAlumB
    1Password Alumni

    @sebish: Likewise, thanks for getting back to me. :)

    But did you read that it is already working in 1password?

    You said earlier that you got locked out of your account. I would have a hard time calling that "working", even if it seems to "work" initially. :lol:

    Why does the code from 1password work when blizzard uses a different protocol?

    I don't have any way of knowing. They don't share their methods publicly. If that changes in the future, it's possible we'd support it in 1Password. But since Blizzard doesn't support using 3rd party authenticator apps, using 1Password or any other is not recommended.

    To clarify, the TOTP spec supports codes of arbitrary lengths, and 1Password supports that as well. But this is specified within the TOTP secret. If you'd like to invalidate the string you're using to generate the codes and share it, I'd be curious to look into it. But again, we're not going to support this unless Blizzard does.

  • sebish
    sebish
    Community Member

    Deat brenty,

    that was a misunderstanding. I added this service's 2FA to 1password, because I got locked out with the blizzard authenticator after reinstalling my mobile. Everything worked fine with 1password.

    To make things short and including my newer findings:

    Users can add 2FA keys of 8 field length to 1password successfully. They are presented correctly in the web app and the mobile app. But (and this is my problem) those 8 length keys are shown as 6 length in the desktop apps, Mac and Windows.

    Therefore, I fully understand that you will not support something that is not wanted this way. But maybe you could port the behaviour of presenting length 8 keys from web and mobile app to the desktop apps? Because these are already doing it right.

    The key is stored correctly in 1password, 1password generates the correct numbers for 2FA, but the desktop apps (only) cut off 2 fields.

    If you want to, I can send you the key and or generated QRCode. I would change my account's authenticator ID before of course ;-)

    I would accept, if you refuse, since this may (!) be blizzard specific and thus is not supported. But it could appear with more (supported) 8 length keys. The different behaviour of web, mobile vs desktop is what I see here.

  • sebish
    sebish
    Community Member
    edited June 2019

    Deat brenty,

    that was a misunderstanding. I added this service's 2FA to 1password, because I got locked out with the blizzard authenticator after resetting my mobile. Everything worked fine with 1password as soon as I got the code in it.

    To make things short and include my newer findings:

    Users can add 2FA keys of 8 field length to 1password successfully. They are presented correctly in the web app and the mobile app. But (and this is my problem) those 8 length keys are shown as 6 length in the desktop apps, Mac and Windows. Tested on completely independent machines.

    Therefore, I fully understand that you will not support something that is not wanted this way. But maybe you could port the behaviour of presenting length 8 keys from web and mobile app to the desktop apps? Because web and mobile are already doing it right.

    The key is stored correctly in 1password, 1password generates the correct numbers for 2FA, but the desktop apps (only) cut off 2 fields.

    If you want to, I can send you the key and or generated QRCode. I would change my account's authenticator ID before of course ;-)

    I would accept, if you refuse, since this may (!) be blizzard specific and thus is not supported. But it could appear with more (supported) 8 length keys. The different behaviour of web, mobile vs desktop is what I see here. View of web and mobile works perfectly fine with it, but desktop apps cut off the first 2 fields:


    (Rightclick and open in new window. Already censored.)

  • AGAlumB
    AGAlumB
    1Password Alumni

    @sebish: Ohhhh gotcha. Sorry for misunderstanding. I have totally locked myself out of my Blizzard account before, because the physical authenticator dealie (back when those were a thing) just died. I would love to be able to use 1Password for this and have it across multiple devices as a backup option...but only if it's supported and reliable, as otherwise I'm back to square one.

    The thing is, we're using the same code for this across all the apps, so that it isn't behaving the same in all cases is due to something else entirely. So my thinking is it may even be specific to the string you're currently using, or just the way it's formatted. Seriously, if you'd be willing to donate it "for science" and send it over after invalidating it, I'll be happy to test it to see if we can learn something. Just email support@1password.com and mention me -- brenty -- with link to this thread for context, and I'll take a look. :)

  • msxtj
    msxtj
    Community Member
    edited November 2019

    Alright, so I found a way to make 1Password work for Blizzard's TOTPs. The TOTPs work well.

    1. Generate a virtual authenticator serial number using the app from https://github.com/jleclanche/python-bna
    2. With the app, you will receive an otpath url in the format: otpauth://totp/Blizzard:[Authenticator_Serial_EU1234etc]?secret=[Some_Secret]&issuer=Blizzard&digits=8
    3. Save the serial number and restore code as a note in 1Password.

  • There are a number of workarounds for this, @msxtj, and this isn't the first one we've seen work. It's also obviously entirely up to you if you're comfortable using these as well. I do want to emphasize, though, that in many cases these companies have policies of their own to require you use their apps above and beyond any issues with what 1Password itself does and doesn't support. We can't promise these workarounds won't break, nor that they will consistently work as advertised. We also can't account for how Blizzard or others might change their implementation in the future and how that will impact your ability to sign in to your account with them. I won't tell you what to do and I'm sure you've taken these concerns into account, but just some words of caution for you and anyone else who might consider doing the same, potentially without a full understanding of the risks. I'd personally recommend keeping a supported authenticator around so you can use it as needed should anything happen. It's less dangerous to do these sorts of things for convenience with proper precautions taken, but having got locked out of my WoW account an hour before raid in the past, I wouldn't wish that on anyone. 🙏

  • Molinary
    Molinary
    Community Member

    So after reading this thread, Im not sure...
    Can I or can't I use 1Password as a battle.net authenticator?

This discussion has been closed.