npmccallum
commented
8 years ago Comment by adelton on 8 Nov 2015 18:15 UTC Right, this seems like a bug since the behaviour differs from output in Appendix D of RFC 4226:
For key 12345678901234567890 / 0x3132333435363738393031323334353637383930 / GEZDGNBVGY3TQOJQGEZDGNBVGY3TQOJQ, the first two codes should be 755224 and 287082, not 094451 and 755224.
josh-cain
Reported by xlynx on 9 Feb 2015 03:27 UTC FreeOTP Version 1.5 (16) Android 4.3
I had a lot of trouble adding my Ubuntu One / Launchpad account, and finally realised why.
As a simple test, add an account:
First field: anything Second field: anything Secret: DINBUGX7 Type: HOTP All other fields as default. Note that "Counter" defaults to 0.
The first password will be 969901, but where does this come from? It should be 609693:
$ oathtool -c 0 -b DINBUGX7 609693
FreeOTP gives 609693 at counter 1. In fact, Google Authenticator, Duo Mobile and oathtool all give FreeOTP's second result as their first. Therefore I believe FreeOTP's counter position 0 is erroneous, and all positions are offset by 1.