OTP isn't working for me

[dustinwilson]

General information

• Operating system + version: macOS 10.13.4
• Browser + version: Vivaldi 1.15.1147.21
• Information about the host app:
  • How did you install it?: Package manager through custom homebrew tap (https://github.com/dustinwilson/homebrew-tap)
  • If installed an official release, put a version: 2.0.19
• Information about the browser extension:
  • How did you install it?: Chrome webstore
  • Browserpass extension version as reported by your browser: 2.0.19

---

Exact steps to reproduce the problem

1. Go to a webpage I have a totp for.
2. Put in my credentials through browserpass
3. I'm then presented with an input box to put in an OTP.

What should happen?

I see something for me to copy or fill in the OTP.

What happened instead?

Nothing.

---

To give a bit of backstory I've been experimenting with pass, and I've used browserpass for about a week now. I've always used FreeOTP on my iPhone for OTP, but I decided to see how pass handles OTP. I installed pass-otp using the provided instructions, and I've installed the Pass for iOS app. I decided to use the iOS app to handle the creation of the OTP auth stuff in my password store because I can just easily scan the QR. Everything went smoothly. I synced my password store, and pass spits out an OTP just fine. However, I don't see anything in browserpass.

Here is the format I have in my password store for Amazon (and no it's not what's actually in there):

otpauth://totp/Amazon%3Auser%40ddomain.tld?secret=AA451GGSWT792GHIWPBL78AS99SSGZWZ76WLSBMPQZHG3WN2LSZT&issuer=Amazon

I'm not sure if I'm doing anything wrong. I just started this evening using OTP with pass, so I'm as green as can be with it. Thanks for your help in advance!

[erayd]

Is that token valid? Testing your URL with a different token works fine, but testing with your token does not work.

[dustinwilson]

The OTP URI I provided here isn't the one that's in my password store. I just put it there to show the formatting of it in case it was different from what you all are used to. What I have works in the iOS app and in pass but nothing shows up in browserpass.

Is there anything I can provide to test?

[maximbaz]

The code is using https://github.com/gokyle/twofactor, if this ends up being an issue with the format, we should report there.

We need to understand if the problem is with parsing the OTP URI or with actually showing the OTP code on a browser side. Could you try to submit these credentials on a different website, and see if the OTP code still doesn't show up? I want to eliminate the possibility that this website that you are using has some weird stylesheet that is hiding our dialog where we show the OTP token.

[dustinwilson]

I've tried on both amazon.com and hover.com and both aren't working. I inspected the extension, and I'm not seeing any errors. It's only loading background.js. Here's the raw formatting for my Hover password store:

password
username: user
otpauth://totp/Hover:user?secret=a6mryljlbufszudtjdt42nh5by&issuer=Hover

I saw that you recently added support in for gopass' otp format? What can I do to put another entry in there with what gopass expects? Maybe that will work, and if it does we'll know it's the uri.

[maximbaz]

Okay, I did some tests. Here's a go app if you want to play for yourself:

package main

import (
    "fmt"

    "github.com/gokyle/twofactor"
)

func main() {
    // url := "otpauth://totp/Hover:user?secret=a6mryljlbufszudtjdt42nh5by&issuer=Hover"
    url := "otpauth://totp/totp-secret?secret=AAAAAAAAAAAAAAAA&issuer=totp-secret"
    o, label, err := twofactor.FromURL(url)
    if err != nil {
        fmt.Println("error: ", err)
    } else {
        fmt.Println("OTP: ", o.OTP(), "label: ", label)
    }
}

The uncommented url I took from the README.md of pass-otp, and the execution prints:

OTP:  988427 label:  totp-secret

When I uncomment your URL, I get an error:

error:  illegal base32 data at input byte 24

I also tried to make your URL as similar as possible to the working one:

url := "otpauth://totp/totp-secret?secret=a6mryljlbufszudtjdt42nh5by&issuer=totp-secret"

But it still prints the same error.

So the only difference is in the secret part, and I notice that your secret is longer than the one from the pass-otp example.

Do you know why your secret value is this long?

I'll make a bug for the https://github.com/gokyle/twofactor and ping you to fill the details if they will ask something.

[dustinwilson]

The first example is from Amazon which has this crazy long secret and the 2nd is from Hover. I'm getting the same error when I run your test program:

Hover:

error:  illegal base32 data at input byte 24

Amazon:

error:  illegal base32 data at input byte 48

I'm not sure why the values are long. The really long one is like the one I have for Amazon. The second is Hover. All of this is weird because it works in pass and the iOS app. This evening I'll add OTP to another login but use pass-otp instead of the iOS app and see what happens with those.

[maximbaz]

See https://github.com/gokyle/twofactor/issues/10, looks like it will be supported soon, and then I'll just update the dependency here and your URLs will start to work fine 😉

[dustinwilson]

Oh great! Thanks for your help on this. I'll just use my phone until browserpass is updated :)

[maximbaz]

v2.0.20 is out

[qbit]

Just a heads up - twofactor-v1.0.1 is out - it properly fixes the issue @dustinwilson was having.

[maximbaz]

Thanks, will release a new version once #257 is merged.