2fa strange, sync wifi, alternate error

akissz
akissz
Community Member

having strange issue with 2fa one time passwords. its setup to sync over wifi, 2 devices. and the codes alternate in some way, sometimes the code on the computer functions normal, while other times the code on the computer has wrong time or something so code is incorrect. But then the code on the phone functions. Then disable 2fa and new reset and reenable 2fa, resync 2 devices, and the computer functions and the phone does not function. Seems to go back an forth between the 2 devices. Visually the numbers are different on each device. Should I be looking at something? The wifi on both devices are the same, meaning the clock should be updating correctly so both device has same time clock, etc. What do I need to fix this all so the sync is correct between the devices. I am worried this will become worse.


1Password Version: 7.4.1
Extension Version: 4.7.5.90
OS Version: 10.14.5
Sync Type: Not Provided

Comments

  • gbx
    gbx
    Community Member

    I'm seeing similar behaviour: the 2FA codes displayed in my Mac and iOS clients are not the same.

    I first noticed this yesterday when I created a new 2FA entry and the website would not accept my confirmation code. Within the allowed time window I then tried the (different) code generated on iOS and it worked. I looked at many of my login entries that have 2FA codes and they were different across clients when they refresh.

  • gbx
    gbx
    Community Member

    I'm seeing similar behaviour: the 2FA codes displayed in my Mac and iOS clients are not the same.

    I first noticed this yesterday when I created a new 2FA entry and the website would not accept my confirmation code. Within the allowed time window I then tried the (different) code generated on iOS and it worked. I looked at many of my login entries that have 2FA codes and they were different across clients when they refresh.

  • akissz
    akissz
    Community Member

    Good. It seems like a bug. But how is that possible. Hopefully more people will reply.

  • danco
    danco
    Volunteer Moderator

    Remember that 2FA codes are generated using the current time. This can be slightly off, which prevents them working. Even with th same wifi network, the time may have drifted on one machine and not have updated recently.

  • akissz
    akissz
    Community Member

    @danco Explain how that would be possible.
    Time does not drift from one device to another device in a matter of 5 minutes.

  • DanielP
    DanielP
    1Password Alumni
    edited January 2020

    @akissz, @gbx:

    I hope you don't mind if I jump on this discussion on behalf of danco (and danco, I hope you don't mind my intrusion here either, but please feel free to continue being part of the conversation).

    Time does not drift from one device to another device in a matter of 5 minutes.

    I don't see danco mentioning 5 minutes anywhere in his post, so I am not sure where you got that specific number. However, I see that he wrote that the time can be "slightly off" instead, and he is absolutely right about this.

    Here is the longer explanation for you, as requested: 2FA codes are generated based on the time of your devices, and if the time on these devices differ (not by 5 minutes: just a few seconds will be enough), then the generated codes will be different. TOTP (the algorithm that generates your 2FA codes) stands for Time-Based One-Time Password Algorithm. If you are curious, you can read all of its details in RFC 6238, which explains exactly how the time-based information is used in the code generation process.

    The wifi on both devices are the same, meaning the clock should be updating correctly so both device has same time clock, etc.

    Note that your devices are not getting the time from your WiFi, so the fact that they share the same connection is irrelevant. Your connection is simply the means through which your devices fetch the correct time. What ultimately sends the time to your devices is a NTP server.

    However, also note that the NTP protocol is not meant to catch big drifts in time. It can only progressively adjust where time drift is small. This is why, when your clock is off by a large value, you typically first need to manually adjust it to an almost-correct value, before NTP can automatically sync with the right time correctly.

    You have not mentioned this in your latest post, but have you checked if the time is actually the same on all your devices? A website such as https://time.is can help you with this.

    ==
    Daniel
    1Password Security Team

  • akissz
    akissz
    Community Member

    @DanielP So you are basically saying this is a big flaw in the 2fa protocol and it will always happen and there is no good way to verify all is correct until you type the code into a login and see error messages. Correct? Or is there another way to confirm the time is correct? I seems like a big error in the protocol. And it seems this is probably a big conversation on the internet for many years now probably.

  • akissz
    akissz
    Community Member

    @DanielP I have always disliked the slow javascript in 1password. Could the time issue be related to the actual web browser slowing down so much as it does sometimes when you have 200 tabs open?

  • DanielP
    DanielP
    1Password Alumni

    @akissz:

    So you are basically saying this is a big flaw in the 2fa protocol and it will always happen and there is no good way to verify all is correct until you type the code into a login and see error messages.

    No, I am not saying that this is a flaw. The algorithm is not doing anything wrong, since it is doing things by the book: the time differs, therefore the codes differ. This is exactly how the protocol is supposed to work: if there is a time component to an algorithm, all devices where that algorithm is run must have the exact same time in order to get the same output. This is actually a great example of it's not a bug, it's a feature ;) It is expected behavior for TOTP to generate different codes starting from different timestamps: this is exactly what allows it to generate new codes every 30 seconds for you, based on the fact that the time changed since the last generated timestamp.

    You are also confusing a symptom with the root cause: your TOTPs failing when you enter them in a login form is not the issue. That's a symptom of another problem, which in this case is the time drift on your device. Your 2FA codes are failing because the time is off on your device, so that is the real issue you have to focus on.

    Could the time issue be related to the actual web browser slowing down so much as it does sometimes when you have 200 tabs open?

    No: time is set at the system level and shared everywhere on your system. You could have one single tab open, but the time would still be coming from NTP.

    You could however test this for good measure: you said that the codes you are seeing are different on two different devices, but what about on the same device, in two different clients? For example, if you open one of these items with a 2FA inside the 1Password for Mac desktop app, and the same item inside 1Password.com in your browser (on the same device where you are running 1Password for Mac), what do you see?

  • gbx
    gbx
    Community Member
    edited January 2020

    Thanks very much @DanielP and @danco for your explanations. That was indeed my problem: my Mac was 1 minute ahead of exact time and I didn't notice, whereas my iOS devices are almost exact.

  • DanielP
    DanielP
    1Password Alumni

    You are welcome @gbx! And thank you for the update :+1:

  • akissz
    akissz
    Community Member

    @DanielP Thanks for the info. I will confirm the browser plugin number vs the actual desktop app numbers. (if this happens again.) 2 days have passed (all is fine now, without knowing why.). I'm assuming it will not happen again for a long time. But one more question, do you think its 100 percent chance its only the clock and nothing else could be causing problems and I should keep calm and not worry?

  • DanielP
    DanielP
    1Password Alumni

    @akissz:

    It's either the time, or the 2FA secret. TOTP will generate different 2FA codes if:

    • Two devices use the same time, but different 2FA secrets, or
    • Two devices use the same 2FA secret, but are on a different time

    In your case, this could not have been a problem with the 2FA secret, since things fixed themselves automatically after a while, so all evidence points to a drift in time. If your devices were indeed using different 2FA secrets, they would never go back in sync automatically again.

    Now, there is always the possibility that you might have caught a bug somewhere, but in my experience so far, this always turned out to be an issue with the device time. I really wouldn't worry too much about this :) Especially since at least one of your devices was always working, which shows that the issue was limited to just one device.

This discussion has been closed.