Closed mgorny closed 6 years ago
Ok, I've actually looked into the code, and tested with the official Google Authenticator Android app, and it doesn't make sense at all. Apparently the code is generated for tm=0. However, in the Authenticator Android app I didn't see any option to see a 'verification code' at all.
FWICS, with HOTP:
So with HOTP only the FreeOTP app let's you make use of the verification code, and only after the second tap (I haven't tested if earlier code lets you log in).
With TOTP the generate code has no relevance to the clock, so it makes no sense without a dedicated implementation supporting this special kind of verification code.
What are you asking for in this bug?
Reopen if you make this bug actionable. TOTP and HOTP certainly work and are useful.
What I'm reporting is that I can't find use for 'Verification code' printed by google-authenticator. What I was asking for was printing something that could be actually used by the user.
Ah right.
I've just submitted changes that should hopefully fix this:
Left to do: add switch to suppress code confirmation, to ease automation.
You could already do "quiet" (-q
) to suppress confirmation). But -C
is coming soon to not need quiet.
When setting up, the
google-authenticator
tool prints:However, given that with the default settings the code is valid for no more than 30 seconds (and often less than that), it is quite unlikely for the user to manage to set the app up fast enough to actually see the same code. Ergo, the code can't be verified using it and it's useless.
I can think of two ways to solve this. Either: