alexzorin / authy

Go library and program to access your Authy TOTP secrets.
MIT License
801 stars 57 forks source link

URI output for 7-digit tokens does not yield correct codes when compared #8

Closed ZaphodB closed 4 years ago

ZaphodB commented 4 years ago

Hi,

I have several 7 digit tokens (for example Twitch, Twilio, Authy Dashboard) where the QR codes resulting from the URI authy-export outputs does not yield the same tokens in 1Password or Google Authenticator when compared with Authy. Notably the longer secrets for Amazon Web Services with 6 digit tokens work just fine so it would appear there is some special treatment required for those 7 digit ones.

alexzorin commented 4 years ago

where the QR codes resulting from the URI authy-export outputs does not yield the same tokens in 1Password or Google Authenticator when compared with Authy

This is normal. For those kinds of services, Authy issues a separate OTP secret for every individual device registered to your Authy account. This allows them to revoke access to individual devices. authy-export is itself a separate device, so it gets a different OTP secret. This has always been the case.

More recently, I have read a comment that Authy have begun intentionally breaking compatibility with the RFC6238 TOTP standard for those types of services. If the 7-digit code generated by authy-export for those services does not work, then I would suspect that this change is the reason way. I am as of yet undecided whether I am going to bother cat-and-mousing Authy's changes, as I have long since closed my Authy account.

alexzorin commented 4 years ago

Well, I signed up to Authy again and double-checked whether the TOTP export for Twitch still produces codes that pass authentication - and it still does. There's not much I can do about the code being different - that's just how Authy works on the backend.

I'm going to close this, but if I have missed the point somewhere, please let me know!