Instagram TOTP Codes are Invalid

[jbellomy97]

Good afternoon,

I'm trying to make TwoFactorAuth.NET work with Instagram. When enabling 2FA Instagram gives you a Base32 string of characters. Using this string here, I would expect the codes TwoFactorAuth.NET would generate accurate 6 digit TOTP responses:

Dim TFA As New TwoFactorAuth
Dim Code As String = TFA.GetCode("xxxx")
Call Console.WriteLine("[*] TOTP 2FA Code: " & Code)

Even after iterating through each timezone when trying to generate codes the TwoFactorAuth.NET codes are invalid. The codes are also different than what Google Authenticator when generating codes at the same time for the same Base32 string, and those codes work. I have a .Net solution and an exemplar account I would be happy to give you access to privately in support of any troubleshooting you might be able to help me with.

[RobThree]

I'm sorry, I can't make heads nor tails from your question.

What does TwoFactorAuth.Net have to do with Instagram? Why are you iterating timezones? Are you even sure your time is correct? What is your discrepancy setting? Have you read the README?

I have a .Net solution and an exemplar account I would be happy to give you access to privately in support of any troubleshooting you might be able to help me with.

Always provide sample code to reproduce an issue immediately when opening an issue instead of having people ask for it. I'm not interested in accessing (private) repositories and I don't do 'private support' and 'troubleshooting' (i.e. debugging your code). Simply strip your issue down to the bare minimum (e.g. a testcase) to reproduce and post it here. That way, when I help you I also help others that might face similar issues.

Finally: I'm pretty sure the codes generated are correct since they're tested against known test vectors (all 36 correct, spread over 3 tests: KnownTestVectors_SHA1, KnownTestVectors_SHA256 and KnownTestVectors_SHA512). You're free to verify the code yourself; here's the algorithm from the RFC.

Edit: Also, I'm not sure exposing your 2FA secret, username and (test)password is a good idea...

[jbellomy97]

Rob,

Instagram allows you to set a TOTP secret key to generate codes with a TOTP generator. TFA.NET being one of those generators, I expected it to properly generate codes that Instagram would accept given the TOTP secret key that Instagram supplies.

I see you found the (old) 2FA secret, username, and test password I was using with another developer. If I were to give you the new TOTP secret you would then have exactly the bare minimum test case I'm trying to troubleshoot. Before opening the issue I read your README and would point out that I'm not using VerifyCode(), the only place your README mentions discrepancy. I've had two other people look at it without being able to figure out why Google Authenticator would generate codes differently than TFA.NET given the three lines you see above. I thought maybe Instagram was doing something undocumented with timezones, so I tried all of them just in case I stumbled on the issue but that didn't solve anything either.

[RobThree]

Timezones are irrelevant since TOTP codes are based on UTC. And, again, the codes are correct (see the testvectors). Have you tried anything else besides Instagram?

If I were to give you the new TOTP secret you would then have exactly the bare minimum test case I'm trying to troubleshoot.

Not really; I don't have a clue what Instagram.AttemptLogin() does. Who's to say that code doesn't have a bug? But, ok, hang on, let me test something real quick.

Edit: Wrote this code:

var tfa = new TwoFactorAuth();
while (true)
{
    Console.WriteLine(tfa.GetCode("R3NSRIREIT4CNKHR7CSHM7HZAPXEXEMI"));
    Thread.Sleep(1000);
}

This produces the exact same codes as Lastpass Authenticator, Google Authenticator and MS Authenticator.

[jbellomy97]

That code, in case you're interested, is located here: https://github.com/jbellomy97/Testagram/blob/9037f57116314cac56a248a4678c804e5f1cc456/Instagram.vb#L27 (same project, different module).

[RobThree]

That code, in case you're interested, is located here: https://github.com/jbellomy97/Testagram/blob/9037f57116314cac56a248a4678c804e5f1cc456/Instagram.vb#L27 (same project, different module).

I saw, but you can't expect me to go over it and debug it all (especially not a 102 lines long method nested 5, 6, 7 levels deep 😱). That's not how this works. You can't expect people to debug and/or fix your code 😉

I just verified (see my edit) and TwoFactorAuth.Net produces the exact same codes as other TOTP apps. You can check it here. Make sure you click "Run" though, as the response may be a cached code. Then click run every time your authenticator app changes codes (give/take a few seconds, depending on how dotnetfiddle's clock is off*). Works for me, every time.

* That's why I also output the UTC time.

[jbellomy97]

Rob, thank you - it's now generating 2FA codes that the website accepts and that equal Microsoft Authenticator. I think I'm good here, thanks for your time.

[RobThree]

Please have the courtesy to let me/us know what the problem was. I've put effort into this, now you please do the same. Quid pro quo.

[jbellomy97]

Honestly, I couldn't tell you. Using a different account I had it generate new 2FA material and plugged it into Microsoft Authenticator. I took that material and put it in the same call to TFA. I wonder if with all the banging I've been doing on it the original account is messed up on the backend because it works just fine taking the new 2FA material generated.

On Sat, Aug 29, 2020 at 7:57 PM Rob Janssen notifications@github.com wrote:

Please have the courtesy to let me/us know what the problem was https://xkcd.com/979/. I've put effort into this, now you please do the same.

— You are receiving this because you modified the open/close state. Reply to this email directly, view it on GitHub https://github.com/RobThree/TwoFactorAuth.Net/issues/15#issuecomment-683355708, or unsubscribe https://github.com/notifications/unsubscribe-auth/AQWV7VWPAEKRPKY6C3EWGWTSDGIVXANCNFSM4QPER47Q .

[RobThree]

Next time please verify these kind of things before wasting someone else's precious time 😉 😗