google / google-authenticator

Open source version of Google Authenticator (except the Android app)
Apache License 2.0
5.22k stars 968 forks source link

Google Authenticator for Windows Phone 7 #49

Open ThomasHabets opened 10 years ago

ThomasHabets commented 10 years ago

Original issue 49 created by fsundqvist on 2011-03-07T17:19:14.000Z:

What steps will reproduce the problem?

  1. Visit Windows Marketplace on Windows Phone 7
  2. Search for Google Authenticator

What is the expected output? What do you see instead? Install and use Google Authenticator on Windows Phone 7, but it doesn't exist in the marketplace.

What version of the product are you using? On what operating system? Windows Phone 7

Please provide any additional information below. http://create.msdn.com/en-US/

ThomasHabets commented 10 years ago

Comment #1 originally posted by june@theonelab.com on 2011-03-18T16:02:37.000Z:

This is a pretty big deal, actually. Without it, two-factor auth is slightly painful for those that wish to use it for google accounts (SMS notwithstanding).

ThomasHabets commented 10 years ago

Comment #2 originally posted by juhapekka.piiroinen on 2011-03-20T10:18:18.000Z:

Maybe someone could create a Qt lighthouse project for Windows Phone 7. As there is existing port for Windows CE and Windows Mobile.

I created a Qt based CuteAuthenticator last evening, so it might help. http://code.google.com/p/cuteauthenticator/

ThomasHabets commented 10 years ago

Comment #3 originally posted by cruetz on 2011-04-05T05:41:07.000Z:

Hey guys. I'm currently trying to work on a basic implementation of the HmacSHA1 calculations that are needed to compute the PINs in C#. I've hit a major wall. Java by default uses signed byte arrays and C# uses unsigned. This is normally not a problem due to simple conversions, however the HmacSHA1 provider in C# only accepts an unsigned byte array. The hash it outputs from the unsigned secret key is different than the hash output from Java. Obviously this produces different, nonworking PINs. This is the only thing that I cannot replicate from Java. Without writing a new HmacSHA1 implementation (P.I.T.A.) that can work on signed byte arrays I cannot think of anyway else to do this. Anybody have ideas?

I've seen the lighthouse project but I'd like to see this written straight in C#. Attached is my quick and dirty implementation. Please forgive the poor coding practices but it produces pins in a Windows Phone 7 Project (albeit wrong). A few redundant lines are there to facilitate step-throughs and debugging. Contribute if you have any ideas or have code that happens to work. It will be much appreciated! Thanks.

ThomasHabets commented 10 years ago

Comment #4 originally posted by markus@google.com on 2011-04-05T19:22:57.000Z:

I suspect that the bug is not actually a result of signed-ness problems. HMAC-SHA1 doesn't really care about signed-ness. It is well-defined for any type of input data. If two implementations give different results, something funky is going on.

I would start debugging this problem by running the test vectors from http://csrc.nist.gov/publications/fips/fips198/fips-198a.pdf That should hopefully give you an idea where to start looking.

In addition, if you want to implement your own version of HMAC SHA1, it's really only a couple of lines of code. You can see an implementation in http://code.google.com/p/google-authenticator/source/browse/libpam/totp.html

Please note, that for various reasons I was interested in writing a very compact implementation. So, this code might not necessarily be incredibly readable; and it certainly requires that you are familiar with Javascript.

The two key-insights that help simplify the code are:

If you do decide to adapt the JavaScript code for your needs, please note that JavaScript has somewhat unusual semantics. All numeric variables are stored as floating point numbers. But whenever a bit-wise operator is used, they are treated as if they were 32bit integer numbers. When an arithmetic operator is used, they are sign-expanded to be a double-precision floating point number.

You can probably ignore this and just use 32bit signed integers for everything. But if things don't work out of the box. That's where you'd have to start looking. Also, please check that operator precedence in JavaScript is the same as in C#. Otherwise, you might have to add a few more parenthesis.

Good luck.

ThomasHabets commented 10 years ago

Comment #5 originally posted by cruetz on 2011-04-05T21:37:18.000Z:

Thanks for the great suggestions. About 4 hours after I posted that and I was shredding my brain on the problem, I actually managed to figure it out. For some reason the byte arrays as input and product were reversed compared to the java equivalent. Upon fixing that, I found various other bugs and as of 3AM this morning, I had a working class that produces proper PINs. I don't want to spam this but unfortunately I can't submit the code file right now as I'm at work and don't have it with me. I'll post the class for anyone to use if someone (Google) is interested as soon as I get home tonight. Thank you again.

ThomasHabets commented 10 years ago

Comment #6 originally posted by benjamin.soulier on 2011-04-11T10:09:32.000Z:

That would be good if you could post this code to have a look, are you going to build an app on the MarketPlace for that or can Google do something here so that WP7 users don't feel left aside ?

ThomasHabets commented 10 years ago

Comment #7 originally posted by cruetz on 2011-04-24T03:18:03.000Z:

Here you guys go. I've finished this app to the best of the current needs presented. This also only includes time based PINs. I've created a new google-code project to host the code files. I'm kind of new to this open source SVN community project deal so definitely tell me if I'm doing something wrong.

http://code.google.com/p/g-authenticator-wp7/

ThomasHabets commented 10 years ago

Comment #8 originally posted by danieltay.digi on 2011-04-25T18:53:25.000Z:

BLOCK LINKS FROM ANY OTHER SOURCES

ThomasHabets commented 10 years ago

Comment #9 originally posted by slugonamission on 2011-06-18T12:10:48.000Z:

I've also created a similar app based on Google Authenticator and the above project, and published it to the marketplace here: http://social.zune.net/redirect?type=phoneApp&id=021dd79f-0598-e011-986b-78e7d1fa76f8 (or just search for Authenticator).

ThomasHabets commented 10 years ago

Comment #10 originally posted by russell.sayers on 2012-03-01T01:23:00.000Z:

Hi all, I've also created a windows phone app here: http://windowsphone.com/s?appid=8a30b055-500a-4d37-af06-a5121b386ac4

Inevitability it looks very similar to cruetz's app even tho I wrote it before discovering this page! :)

Also played with the same OTP algorithm here: http://blog.tinisles.com/2011/10/google-authenticator-one-time-password-algorithm-in-javascript/ https://github.com/russau/ArduinoOTP https://twitter.com/#!/russaus/status/163232099220996096

ThomasHabets commented 10 years ago

Comment #11 originally posted by daniel1988 on 2012-03-04T01:03:34.000Z:

Comment 10: great app! I gave you 5 start in marketplace

ThomasHabets commented 10 years ago

Comment #12 originally posted by russell.sayers on 2012-03-04T12:19:12.000Z:

Glad u like it Daniel! An update just got approved in the marketplace - the scan page should look like this: http://i.imgur.com/XyBTO.png. But I'm still seeing the old one :(. Interested to know if you are seeing a screen like the one attached. If not you should see it in the NEXT version.

ThomasHabets commented 10 years ago

Comment #13 originally posted by hobboy on 2012-07-26T13:15:17.000Z:

I'm going to try to have a go at all these apps, come back here with any feedback about which ones I prefer, things that I think could be improved.

So happy I found this page :D

ThomasHabets commented 10 years ago

Comment #14 originally posted by chris@infinitusdev.com on 2012-11-05T19:44:11.000Z:

Since the last time Google updated the android and ios versions of authentication (june or july), I've been unable to get accurate codes from any of the above apps. Any insights?

ThomasHabets commented 10 years ago

Comment #15 originally posted by russell.sayers on 2012-11-05T20:33:44.000Z:

Interesting, maybe google are now using features in the QR code that they previously didn't. Which would also break people on older Android/iOS versions? I'll check out my app tonight.

ThomasHabets commented 10 years ago

Comment #16 originally posted by sankara.rameswaran on 2012-11-05T20:35:07.000Z:

I used it yesterday and it was working fine for me.

ThomasHabets commented 10 years ago

Comment #17 originally posted by chris@infinitusdev.com on 2012-11-05T21:03:53.000Z:

Perhaps it's not the app(s) or the lib. I've since tried this html/js solution https://github.com/gbraad/html5-google-authenticator hosted: http://gauth.apps.gbraad.nl/ here, and this works on every device i have (iOS, Android, Surface) except on my windows phone in ie. This goes for all my 2 factor accounts, 3 google and 1 dropbox.

ThomasHabets commented 10 years ago

Comment #18 originally posted by sankara.rameswaran on 2012-11-05T21:05:40.000Z:

Just in case, check the time/timezone on your phone. The code is time dependent.

ThomasHabets commented 10 years ago

Comment #19 originally posted by chris@infinitusdev.com on 2012-11-05T22:32:25.000Z:

it looks like a time issue. The date time settings are no help since the auto feature doesn't seem to work.

ThomasHabets commented 10 years ago

Comment #20 originally posted by wblakeley on 2012-11-23T23:33:45.000Z:

Searching the Australian Windows Phone Store comes up with nothing... no authenticator apps for us here! Can one of you kind developers please enable your apps for all (or at least more) markets? Thank you!

ThomasHabets commented 10 years ago

Comment #21 originally posted by russell.sayers on 2012-11-24T00:37:15.000Z:

My app is defn on the Aussie market place, try this link http://www.windowsphone.com/en-au/store/app/virtual-tokenfactor/8a30b055-500a-4d37-af06-a5121b386ac4

As a sydneysider I can also provide local hours support :)

ThomasHabets commented 10 years ago

Comment #22 originally posted by wblakeley on 2012-11-29T02:34:12.000Z:

Excellent, thanks Russell. Perhaps I was just searching Authenticator or something. Anyway, clicking that link installed it, and it's all set up in LastPass now. Thank you so much!

ThomasHabets commented 10 years ago

Comment #23 originally posted by Sealegion227 on 2012-12-12T20:07:03.000Z:

Please release an official google authenticator app for windows phone 8!

ThomasHabets commented 10 years ago

Comment #24 originally posted by david.cobb on 2014-06-03T17:16:25.000Z:

Hey I just turned on 2 step authentication with google authenticator, even though I have a windows phone. I installed Windows authenticator on my Windows phone. I chose to use the google authenticator app in security settings. When you enable the option you must choose Android,iPhone or Blackberry (no Windows Phone choice) I chose Android, then it displayed the QR Code. I captured the code in my Windows authenticator app and registered it successfully.

So even though there's no Windows Phone choice offered when setting up the authenticator app, choosing Android then using my Windows Authenticator app works!