No entries are shown

[kmpoppe]

Even though I authenticated the app correctly (it would seem) and entered the backup password without an error message, I get no results as Authenticator Tokens (Here are your authenticator tokens: ... crickets).

I'm using version 0.1.2 with the precompiled Windows version, unfortunately, the precompiled Linux binary as the same issue.

Can you provide any means for me to debug into this?

[alexzorin]

The main reason you'd encounter crickets would be if you had backups disabled. From the README:

If you notice any missing TOTP tokens, please try toggling "Authenticator Backups" in your Authy settings, to force your backup to be resynchronized.

Apart from that,

Can you provide any means for me to debug into this?

Yes! If you run the program with the environment variable AUTHY_DEBUG=1 set, it will dump the raw API responses from Authy, which might provide some hints as to what's going on.

[kmpoppe]

Hey @alexzorin, thanks for the quick response. Looking at the GO-code I found AUTHY_DEBUG myself, which yielded only little information:

[AUTHY_DEBUG] Sent request to: https://api.authy.com/json/users/***/authenticator_tokens?api_key=37b312a3d682b823c439522e1fd31c82&apps=&device_id=***&otp1=***&otp2=***&otp3=***, got response: {"message":"success","authenticator_tokens":[],"deleted":[],"success":true}

So it seems that the backup is not working. I enabled the backup in the Chrome Extension, then looking at the Authy App on my phone, backups were still not enabled, which I then did again, but still got only crickets.

What I wonder is: I see the API request with no results before I get challenged for the backup password. Is that by design?

[alexzorin]

What I wonder is: I see the API request with no results before I get challenged for the backup password. Is that by design?

Yep. What happens is that we download the encrypted backup from Authy, and then we decrypt it locally. We don't need to prompt the user for the password until we have something to decrypt.

So it seems that the backup is not working

It's either that or you don't have any actual TOTP secrets. Authy has a proprietary type of token which is not true TOTP/RFC6238, but is basically a customized (and incompatible) version of the algorithm.

For example, Twitch uses this kind of token and wouldn't appear in the API endpoint that we use. Back in the day, Cloudflare and Humble Bundle also used it, but then they migrated to regular TOTP. Today, the overwhelming majority of sites use real/standard TOTP.

I haven't looked into reverse engineering how these TOTP-but-not-really tokens work, basically because it wasn't a personal need of mine and Twitch won't let me set it up unless I first give them my phone number (big sigh).

[kmpoppe]

I bet, you've read my comment on the gist. Yes, I was trying to get the Twitch TOTP-but-not-really tokens from the API. So, obvs. the javascript stuff for main.html is able to read some kind of secret that, being fed back into 1Password, will work, so there must be an algorithm at work, that resembles the RFC one, right? Is there any API endpoint that sounds like it would deliver these proprietary tokens/secrets?

[alexzorin]

1Password probably has dual support for Authy's algorithm in additional to regular TOTP (but that's just speculation on my part, never used it).

Of course, the other tokens are going to be stashed away in some other endpoint. Since at the time of development, I didn't have any such tokens, I pretty much ignored everything that I didn't need. From what I saw, there's some complicated-looking key wrapping going on for "other" Authy functionality and I noped right out of there when I saw it wasn't conducive to my goals D:. And to be honest, I'm unlikely to go back for it any time soon - I've since deleted Authy entirely.

[kmpoppe]

1Password probably has dual support for Authy's algorithm in additional to regular TOTP (but that's just speculation on my part, never used it).

To me, it feels like "just" another TOTP secret that fell out of pudly's script, but I could be entirely mistaken.

Of course, the other tokens are going to be stashed away in some other endpoint. Since at the time of development, I didn't have any such tokens, I pretty much ignored everything that I didn't need.

Do you have an API documentation that I could use for looking into this further or did you reverse-engineer the whole functionality?

[alexzorin]

Do you have an API documentation that I could use for looking into this further or did you reverse-engineer the whole functionality?

I don't think there's any API docs for this stuff. I used the Chrome Extension+SSLKEYLOGFILE+Wireshark to figure out the network requests, and reading the Authy Chrome Extension minified source code for figuring out the crypto stuff.

Doing just the first bit with an account that has a Twitch token should reveal pretty quickly which endpoint it's hiding in.

[kmpoppe]

Doing just the first bit with an account that has a Twitch token should reveal pretty quickly which endpoint it's hiding in.

🙄 Oh wonderful, SSLKEYLOGFILE, something I tried getting to work thrice and failed miserably. Oh well, it seems I will once again try to make that work.

[alexzorin]

Although I have now added support for Twitch-type tokens, there is quite a significant downside.

When you have a Twitch account in Authy and add multiple devices to your account, each account is assigned a unique and distinct TOTP secret for Twitch.

When you login to Twitch, Twitch passes on your 7 digit code to Authy.com, who then check if it matches any of the TOTP secrets on any of your devices.

This is distinct to normal TOTP flows, where the website you are logging to is the one who controls and evaluates TOTP login attempts.

What this means is that Authy can revoke that token at pretty much any time.

So if you imported it to 1Password and then deleted your Authy device (that authy-export added), it's possible that Authy will revoke that Twitch TOTP token after some time. So you probably need to keep that device added forever, and just destroy the device credentials instead.

tl;dr; You can export the Twitch TOTP secret, but you're still married to Authy no matter what you do.

[kmpoppe]

I was wondering for like 5 seconds: why o why is the secret different but I'm still able to logon with that other secret in the OTP 🤔

That pretty much explains it. After all this can be regarded as a proof of concept.

If twillio decides they want to be open to users of other authenticators and give a way to export them into another software, that'll be fine as well 😬

Thank you for your time!

// Kai

[kmpoppe]

Re: Still married to Authy - I pretty much believe that that is the case no matter what I do, when I remove Twitch from the Authy app it might get de-authed at some point in time.

[kmpoppe]

What this means is that Authy can revoke that token at pretty much any time.

Tried this. Once I removed the "Unknown" device from my Devices list in Authy, the TOTP that came from that secret no longer worked. So in essence, one just has to keep this one authorization within the app and you're pretty much safe.