question

[darkpowerxo]

hi i set the $secret to a string typed by me, and then i typed the same thing in the 2 fact app provided by google but they won't generate the same key any help?

[richdonne]

More detail first would be nice, that's really vauge

ITC

On 12 Aug 2014, at 01:08, soroush notifications@github.com wrote:

hi i set the $secret to a string typed by me, and then i typed the same thing in the 2 fact app provided by google but they won't generate the same key any help?

— Reply to this email directly or view it on GitHub https://github.com/PHPGangsta/GoogleAuthenticator/issues/8.

[darkpowerxo]

open google auth app on any device and type your secret key as qwertyui then use the same key here (according to example page) both the google auth app and this php code should create the same 6 digit every 30 sec but they are different

<?php require_once '../PHPGangsta/GoogleAuthenticator.php'; $ga = new PHPGangsta_GoogleAuthenticator();

//changed part $secret = "qwertyui"; //$secret = $ga->createSecret(); echo "Secret is: ".$secret."\n\n";

$qrCodeUrl = $ga->getQRCodeGoogleUrl('Blog', $secret); echo "Google Charts URL for the QR-Code: ".$qrCodeUrl."\n\n";

$oneCode = $ga->getCode($secret); echo "Checking Code '$oneCode' and Secret '$secret':\n";

$checkResult = $ga->verifyCode($secret, $oneCode, 2); // 2 = 2*30sec clock tolerance if ($checkResult) { echo 'OK'; } else { echo 'FAILED'; } ?>

[richdonne]

Ahhh, I see , try the following

Use the google authentication code to create the secret code, but do not specify, a secret code, it will return a token string, and get it to generate a QR code image.

Store the returned token in your db, and scan the QR code using the google auth. You may have to install a scanner or install AUTHY from the App Store, it's a better app than google.

Then you execute the code after you have entered the 6 digit code, send the saved token, with the code and then check the result.

It should work, let me know if it does not, I'll post a small section of code for you which works, I'm away at the mo but back on Wednesday. In fact check my gist repo on github, richdonne.

I might have saved it there.

ITC

On 12 Aug 2014, at 03:19, soroush notifications@github.com wrote:

open google auth app on any device and type your secret key as qwertyui then use the same key here (according to example page) both the google auth app and this php code should create the same 6 digit every 30 sec but they are different

<?php require_once '../PHPGangsta/GoogleAuthenticator.php'; $ga = new PHPGangsta_GoogleAuthenticator();

//changed part $secret = "qwertyui"; //$secret = $ga->createSecret(); echo "Secret is: ".$secret."\n\n";

$qrCodeUrl = $ga->getQRCodeGoogleUrl('Blog', $secret); echo "Google Charts URL for the QR-Code: ".$qrCodeUrl."\n\n";

$oneCode = $ga->getCode($secret); echo "Checking Code '$oneCode' and Secret '$secret':\n";

$checkResult = $ga->verifyCode($secret, $oneCode, 2); // 2 = 2*30sec clock tolerance if ($checkResult) { echo 'OK'; } else { echo 'FAILED'; } ?>

— Reply to this email directly or view it on GitHub https://github.com/PHPGangsta/GoogleAuthenticator/issues/8#issuecomment-51865963 .

[darkpowerxo]

yes it working, :) trying to finger out why custom secrets have this behavior...

[richdonne]

I'm sure, but I could be wrong the secret key needs to be a certain length.

[PHPGangsta]

That's correct, the secret has to be at least 16 base32 characters long (or 24 or 32).

"The service provider generates an 80-bit secret key for each user. This is provided as a 16, 24 or 32 character base32 string" https://en.wikipedia.org/wiki/Google_Authenticator

Slide 8: http://de.slideshare.net/zerocool51/google-authenticator-possible-attacks-and-prevention

Or here: https://code.google.com/p/google-authenticator/wiki/KeyUriFormat Base32 means: A-Z, 2-7 and = for padding. Length: mostly 16 or 32 characters are used

[richdonne]

Good to see my old age is not effecting me brain too much, but yet again I code be wrong lol.