yanivhs
commented
1 year ago I'm using a sha512 tokens, and also got this message...
Looking at the app code, you can see it expect it to use uppercase letters while in the examples they are in lowercase.
Open ChristianStadelmann opened 1 year ago
yanivhs
commented
1 year ago I'm using a sha512 tokens, and also got this message...
Looking at the app code, you can see it expect it to use uppercase letters while in the examples they are in lowercase.
ChristianStadelmann
commented
1 year ago Looking at the app code, you can see it expect it to use uppercase letters while in the examples they are in lowercase.
Thanks for this hint, I've created #288 for that.
Nevertheless, it would be interesting to have more details in case of a "Token is unsafe!" message, so I'll leave this issue open.
ninernet
commented
1 year ago I recently (3 January) factory-reset my phone and reinstalled the app. I didn't even look for options to back up what I already had set up in the app (and I don't think they existed in the version I had installed at the time) as I assumed that getting set up again with the vendors that require the use of an authenticator app would be straightforward. How wrong I was!
I only had two vendors set up in the app. The first one I tried to re-set up is a company where I expect issues on an almost daily basis, and I got the "Token is unsafe!" warning. I brought it to their attention last week and I am still awaiting a response on how I should proceed. With my bank today I did not expect this warning, and after half an hour of trying to help me they gave up and opened a ticket with their IT department.
So yes, per the original poster some additional information would probably be useful. But since this is affecting a bank and Microsoft (as opposed to mom-and-pop outfits), I'm actually wondering if this might be a bug. Supposedly I will hear from my bank tomorrow, but in advance I've been trying to find information on this issue so that I can look semi-intelligent when they call.
mokraemer
commented
1 year ago It looks like freeOTP requires that tokens have at least 128bit (26 base32 coded digis). Otherwise it is considered unsecure. It would be very helpful to show this hint. 80 bits (16 base32 digits) were accepted before and are still by the ios app.
justin-stephenson
commented
1 year ago It looks like freeOTP requires that tokens have at least 128bit (26 base32 coded digis). Otherwise it is considered unsecure. It would be very helpful to show this hint. 80 bits (16 base32 digits) were accepted before and are still by the ios app.
Yes, due to https://www.ietf.org/rfc/rfc4226.txt algorithm compliance requirements but I agree we should more clearly state this in the error message. We should also establish uniformity with FreeOTP iOS, and perhaps provide an option to ignore this insecure warning and add the token anyway.
mokraemer
commented
1 year ago it is ok, to force better keys. But e.g. php gangsta has a default length of 80 bit. And I was confused that now I was warned about unsafe "algorithm" and did not know "only" the length should be extended >128
kingma-sbw
commented
1 year ago I'm not sure if the hint to swap the OTP app just for GH is an acceptabel solution.
telephon
commented
8 months ago Also, the QR-code displayed after the scan doesn't visually match the original QR-code – this is very confusing. I would expect such a behavior from an app that has been tinkered with.
When scanning a QR code from Microsoft's mfasetup on https://aka.ms/mfasetup, I get this warning:
It might be useful to have more details on why the token is unsafe, e.g. some text about the algorithm (cipher, key exchange mechanism, parameters, …). If possible, it would also be nice to tell why the token is unsafe.
Version info: FreeOTP 2.0 (24) from F-Droid repository on Android 11.