Cannot access code after restore

[ThatUSser-dev]

So, I've got a big problem here:

I have restored my phone from an iOS-Backup. I had the option for "enable TouchID" enabled. Now, the accounts are "there", but nothing happens when I click them.

Can somebody help?

[justin-stephenson]

Hi, can you make sure biometrics setup is done after the restore? Did you perform an encrypted backup? If yes, I wonder if you could try a factory wipe of the phone then restore from backup.

[justin-stephenson]

This is actually the second attempt at restoring the device. Yes, Biometrics and Encrypted Backup are on. Is there a way to extract the secret from the backup?

I'm afraid not, the tokens are stored in the Android keychain for security reasons. Are all tokens not working, or only the tokens which had security TouchID enabled? What device and iOS version? I'd like to try and reproduce the issue.

[justin-stephenson]

Thanks for reporting this issue, I was able to reproduce the problem - I am current looking into a solution.

[justin-stephenson]

You're welcome.

Is there any hope that we can restore the lost keys sonehow?

It does not look too hopeful because the problem appears to be a bug in the swift keychain API when using SecAccessControlCreateWithFlags to define access controls for keychain items included in an encrypted backup. Only after an encrypted backup and restore, attempting to retrieve the keychain item with this access control object returns errSecItemNotFound. We are setting the kSecAttrAccessibleWhenUnlocked attribute which works prior to doing a backup + restore, and also it works as expected when it gets set for non-locked tokens using the kSecAttrAccessible attribute.

The access controls are set on the OTP code only when the token is added(when storing the token secret into the keystore), there is no API to explicitly delete the kSecAttrAccessControl attribute, so I will be submitting a fix to set the kSecAttrAccessible attribute when tokens are added which addresses this issue in my testing, then we will prompt for biometrics in the view controller code. As this attribute only gets set when adding a token initially, 'locked' tokens must be added, or re-added after the fix is released will be accessible after encrypted backup and restore. This does not affect backup and restore of non-locked tokens. Apologies for the problems you experienced here, I hope to get this fixed and a new release out ASAP.

[knaepp]

To whom it may concern, I recognized the same issue after transfering the data from one iphone to a new one today. I did not use a backup, I transfered the data directly from iphone to iphone. Same behaviour: all entries are available but they do not work. Even pasting otp data to the clipboard does not work.

Is this the same issue?

Thanks in advance.

Matthias

[justin-stephenson]

To whom it may concern, I recognized the same issue after transfering the data from one iphone to a new one today. I did not use a backup, I transfered the data directly from iphone to iphone. Same behaviour: all entries are available but they do not work. Even pasting otp data to the clipboard does not work.

Is this the same issue?

Thanks in advance.

Matthias

Can you clarify how data was transferred exactly? I'm not sure what you mean by transferring data without a backup.

Do you have locked and unlocked tokens? If the problem only affects locked tokens then likely it is the same issue.

[Bertoleti]

Hi. I have updated to new version 2.2. But I'm still having the same problem.

Now the only difference is tha when I tap to see the code, the app ask for my touch ID, but after autenticate my touch ID, nothing happens.

[justin-stephenson]

If a backup and restore was done prior to version 2.2, the locked OTP codes on the restored device are no longer accessible - that is because the token restored on the device did not have the correct access control attribute set on the keychain OTP, the access control is only set when the token is initially added to the keychain. Therefore the token no longer contains the OTP code, even though you can see the other token metadata.

The updated access control should now be set correctly for any existing, or newly added locked tokens - it will require taking a new encrypted backup on version 2.2 .However as I said above, due to the code path of where this issue was fixed it did not allow me to fix previously restored locked tokens. These are tokens that will ask for touch ID but not show anything after authenticating.

It would be appreciated if others in this thread can confirm this.

[levieuxsage]

I have the same issue : I restored my Iphone with iTunes, and the freeOTP app doesn't ask my TouchID anymore. It's a nightmare, I can't access my accounts anymore. Please help !

[justin-stephenson]

I have the same issue : I restored my Iphone with iTunes, and the freeOTP app doesn't ask my TouchID anymore. It's a nightmare, I can't access my accounts anymore. Please help !

iOS/MacOS security model does not include Apple Keychain items with biometrics authentication access control set in encrypted backups, this was discovered and https://github.com/freeotp/freeotp-ios/commit/019b603c828602cafb2bb828939c0d43c1e38db9 was added to warn users about this.

[he3als]

iOS/MacOS security model does not include Apple Keychain items with biometrics authentication access control set in encrypted backups,

so just as a confirmation, there is no way to get access to my 2fa codes again?

[justin-stephenson]

iOS/MacOS security model does not include Apple Keychain items with biometrics authentication access control set in encrypted backups,

so just as a confirmation, there is no way to get access to my 2fa codes again?

Unfortunately no, the token metadata still exists but not the OTP secret which is what you will see after restore. Perhaps it makes sense to include a disclaimer on the FreeOTP readme about this.