search

alexandregz / twofactor_gauthenticator

This RoundCube plugin adds the 2-step verification(OTP) to the login proccess
MIT License
220 stars 77 forks source link

System Out of Sync #21

Closed dom-madrid closed 9 years ago

dom-madrid commented 10 years ago

I have the plugin installed in my roundcube setup, and two smartphones with the Google App for the 2nd password. For the same account, the auth code differs. One is valid (on a Galaxy Nexus with 4.3 Jelly Beam) , one is not (BQ Aquaris E5 with 4.4 KitKat). On both I tried to sync the system for time corrections (no errors returned)... I am at a loss. Any ideas ?

alexandregz commented 10 years ago

Hi:

I don't know, sorry. I think that with same secret Google App must be return same auth-code. Are you scanned QR-Code?

dom-madrid commented 10 years ago

Hi,

I tried both options: QR scanned by both phones and secret code entered manually. Same results in both case.

Dominique

On 30/07/2014 1:00, Alexandre Espinosa Menor wrote:

Hi:

I don't know, sorry. I think that with same secret Google App must be return same auth-code. Are you scanned QR-Code?

— Reply to this email directly or view it on GitHub https://github.com/alexandregz/twofactor_gauthenticator/issues/21#issuecomment-50551298.

This email is free from viruses and malware because avast! Antivirus protection is active. http://www.avast.com

jusbuc2k commented 10 years ago

I'm working on a fix for the same problem in my fork. The KeyUriFormat (https://code.google.com/p/google-authenticator/wiki/KeyUriFormat) specifies that the secret should be base32 encoded, but this plugin is just creating a random base32-like string. The google auth app on android is base32 decoding they key, thus, the keys (and thereby codes) are different on the phone vs. the plugin. It seems to work fine on iPhones for some reason though, I'm not sure why the ios version of google auth app doesn't expect the base32 key.

alexandregz commented 10 years ago

Hi, sorry for delay:

QR-Codes generated from plugin works fine with Android phones also (tested with my old Nexus4 and Nexus5 and another colleague phones). If you have some issues with QR-code generation calling chart.googleapis.com can be use this commit (https://github.com/corrideat/twofactor_gauthenticator/commit/4e5bf3a62292e945b284cbcb8838026691bb29ef) from corrideat.

If you put same secret into two phones, generated codes must be produce identical passwords, sure

dom-madrid commented 10 years ago

Actually, as I described the error, it does not work either with the QR code or the secret code itself. It works under certain conditions (Android versions before KitKat) and not with KitKat. I tried with ICS and JB without problems. Tests were made on different phones (models and brands). It can be repeated every single time. I opened a bug on the google auth app side, and the error as been confirmed by at least another user.

jusbuc2k commented 10 years ago

The root of the problem is that this plugin generates random base32 characters, rather than base32 encoding a random set of bytes. The PHP library base32 decodes the key before using it, and the Google Auth app does the same. I fixed this in my fork by adding a base32 encoding function around the key generation. I also included support for the browser based secure random number generator, since using the math random function for crypto is not a good idea.

--- Original Message ---

From: "Dominique Couot" notifications@github.com Sent: August 11, 2014 2:28 PM To: "alexandregz/twofactor_gauthenticator" twofactor_gauthenticator@noreply.github.com Cc: "Justin Buchanan" jbuch@buchmail.com Subject: Re: [twofactor_gauthenticator] System Out of Sync (#21)

Actually, as I described the error, it does not work either with the QR code or the secret code itself. It works under certain conditions (Android versions before KitKat) and not with KitKat. I tried with ICS and JB without problems. Tests were made on different phones (models and brands). It can be repeated every single time. I opened a bug on the google auth app side, and the error as been confirmed by at least another user.

Reply to this email directly or view it on GitHub: https://github.com/alexandregz/twofactor_gauthenticator/issues/21#issuecomment-51828402

dom-madrid commented 10 years ago

Justin, Where can I find your fork? Or is it only for your use? Can you upload your changes to the main project so that it gets incorporated into the project.

jusbuc2k commented 10 years ago

Here is my fork: https://github.com/jusbuc2k/twofactor_gauthenticator

It's not quite done yet, I'm also simplifying the user interface. I haven't done any testing with iPhones yet, just android.

JB

Justin Buchanan

Date: Mon, 11 Aug 2014 13:40:26 -0700 From: notifications@github.com To: twofactor_gauthenticator@noreply.github.com CC: jbuch@buchmail.com Subject: Re: [twofactor_gauthenticator] System Out of Sync (#21)

Justin,

Where can I find your fork? Or is it only for your use? Can you upload your changes to the main project so that it gets incorporated into the project.

— Reply to this email directly or view it on GitHub.

alexandregz commented 9 years ago

I ripped your code and put it on the plugin -with credits, of course :-)

Algebro7 commented 9 years ago

Hi alexandregz,

I installed this plugin on my mailserver 8 months ago and it worked beautifully. However, yesterday I rebuilt the mail server from scratch and I cannot seem to get this plugin to work. I keep getting "Incorrect Code" when testing the code and I've tried on a variety of authenticators. Do you have any ideas on where to start looking?

Edit: looks like my friend was able to get it to accept a code when he scanned the QR on a lollipop device. So far no one with kitkat has been able to generate a valid code, however. Perhaps the recent revision isn't working correctly?

alexandregz commented 9 years ago

Hi Algebro7:

If you reinstall from scratch Roundcube app, you need to re-activate the plugin, all prefs are into BD, prefs users field. But you friend can enter to webmail? Same machine?

Algebro7 commented 9 years ago

Thanks Alex. I should clarify that it was a completely new machine for the installation, just with the same domain name as the old one. So everything should be absolutely fresh and clean on the new machine. My friend was able to authenticate with a code on the google authenticator app on his lollipop android phone, but no one else (kitkat users) seem to be able to.

I did notice some people mentioning a similar problem here: https://code.google.com/p/google-authenticator/issues/detail?id=413

Do you think it could be related? Thanks for your help.

alexandregz commented 9 years ago

Stupid question: Have you sync time in phone app? (Google authenticator)

Algebro7 commented 9 years ago

Yep. I'm going to test it with some other phones today as well and let you know the results.

alexandregz commented 9 years ago

oka, I'm waiting for you test. I don't know differences between lollipop and kitkat systems with TOTP or Google Authenticator app :disappointed:

Algebro7 commented 9 years ago

Ok, I've tested with a couple of different phones on different accounts and the ones that are running kitkat are confirmed to not be working with the plugin. I'm thinking it has to do with the bug described in the thread I linked earlier.

alexandregz commented 9 years ago

I'm going to close this, I think it's about differences between Android versions with TOTP

Thx for the feedback!