Closed ThomasHabets closed 10 years ago
ThomasHabets
commented
10 years ago Comment #1 originally posted by klyubin@google.com on 2012-04-04T20:11:56.000Z:
Interesting... I don't think any version of Google Authenticator for Android had code/checksum validation. In which version of the Android app did you see the validation feature?
ThomasHabets
commented
10 years ago Comment #2 originally posted by juergen.kremp on 2012-04-04T20:54:22.000Z:
You have a good point here.
In fact it might be that the validation was observed by me only in the iOS version (with which I started playing around with Google Authenticator, and "playing" also means to type in random data to see what it does), and the Andoid version never had it and I only smelled a regression after the "Authenticator --> Google Authenticator" update.
However, in this case what do you think about removing the "2.15 ?" from the title. I think there are Android devices existing without camera, which cannot scan a QR code, so that manual entry is a must, and a typo here would then result in wrong codes. Woudln't checksum validation be a good idea also on Android? A "messaging" mechanism for wrong codes is already present (when you enter a too short key, you get a message).
ThomasHabets
commented
10 years ago Comment #3 originally posted by klyubin@google.com on 2012-04-04T21:46:05.000Z:
Thanks! I don't think the iOS Authenticator performs checksum validation either. This is because there is no checksum included in the keys that these apps handle (see RFC 6238 -- http://tools.ietf.org/html/rfc6238). Perhaps the difference in behavior can be explained by a different minimum key lengths required by the two apps? The Android app requires a minimum of 80 bits which is 16 characters (the key is base32 encoded).
Your suggestion for adding some checksum is a good one and it's probably a good idea to file a feature request.
ThomasHabets
commented
10 years ago Comment #4 originally posted by juergen.kremp on 2012-04-05T07:38:45.000Z:
And again you got me.
After careful review of the Google Authenticator on iOS and Android I admit that what I interpreted as "checksum validation" in fact was just a length check for the start code.
On iOS, the start code must be exactly 16 characters, otherwise I get the "Invalid code" message.
On Android, the start code must be at least 16 characters. Longer codes are accepted. However, codes with an odd length yield the same authentication codes as the start code where you remove the last position in the start code.
As no checksum validation ever existed, you can close the ticket. Thanks for your support.
ThomasHabets
commented
10 years ago Comment #5 originally posted by klyubin@google.com on 2012-04-05T09:57:28.000Z:
You're welcome! When decoding the base32-encoded secret we do indeed drop any last bits that don't form a full byte.
Original issue 161 created by juergen.kremp on 2012-04-04T19:48:07.000Z:
What steps will reproduce the problem?
What is the expected output? What do you see instead? Expected: Rejected code because checksum wrong. When you try to enter the same code in the current iOs-App, you get message that the code is not correct.
What version of the product are you using? On what operating system? Android, Version 2.15
Please provide any additional information below.