iOS 9 TOTP Generation

[specialbrew]

Since the release of iOS 9 it appears that the device time is not synchronizing correctly which is resulting in codes that cannot be verified by servers that are using any other NTP solution (e.g. having the correct time) . Has anybody here experienced this issue? Links:

• http://www.volleythat.com/essays/2015/9/22/did-apple-just-set-millions-of-iphone-clocks-to-the-wrong-time
• https://www.reddit.com/r/applehelp/comments/3lau9e/issue_with_time_sync_on_ios_9_iphone_6/

[SteveyPugs]

Yep same here. My phone is about 44 seconds ahead

[akerl]

This doesn't seem like something that can be handled/fixed in this project

[specialbrew]

We were comparing google authenticator to authy, and authy seems to be using an external time service to calculate the token on the same device with the same shared secret. Would it possible to make a preference to use an external time stamping service (e.g. https://www.openssl.org/docs/manmaster/apps/ts.html) in the mobile applications for this project?

[ThomasHabets]

I assume you are all using the Google Authenticator on the App store?

I have forwarded a link to this issue to the maintainers of the app store version.

[specialbrew]

Yes, I realized after the post that the version in the App store is different than here. Thank you for forwarding, the 'solved' tag from reddit is in reference to the work around of manually setting the clock. This is reasonable for an individual use case but we are looking for an enterprise solution. We may need to explore something like authy as our enterprise solution. Thank you

[ThomasHabets]

Are you seeing this problem with Google OTPs, other services like GitHub, your own PAM installations, or something else?

That is, could this problem be ameliorated on the server side instead of on the app, until Apple start getting their time sync act in gear?

[specialbrew]

We have opened a ticket with the server product vendor to see if there is a way to configure the allowable time steps variance (RFC 6238 section 6). The answer should come from Apple about the time sync, we are currently working through our channels to open a ticket with Apple.

[rudolphfroger]

One could consider if Google Authenticator should access an external time server (when available) instead of relaying on the time on the phone. Or maybe as a setting in the Google Authenticator app?

[ThomasHabets]

Such a pull request would be accepted. See caveat above about opensource version vs app store.