Same secret with Google Authenticator and NOTP, different tokens

[TomasHubelbauer]

Hey, I have obtained a TOTP shared secret key from GitHub and I have manually inserted the secret to both Google Authenticator and NOTP and verified that the values are correct. I did this twice manually and once using the QR code from GitHub to set up Google Authenticator.

Here's my NOTP code, I am using literally just this line:

console.log(notp.totp.gen('<the secret>'));

The secret is a string in the format of 16 lowercase letters and numbers as provided by GitHub.

Google Authenticator and NOTP give me totally different code. I have tried to cross the time window boundary to check if maybe NOTP was giving me a token one window too old or too new, but they just seems to be completely unrelated. Needless to say GitHub won't accept my TOTP token, but will Google Authenticator's.

Do I miss options which I should be using? According to the READM, the only relevant option is time which I think the defaults cover and match what Google Authenticator is doing, so I am confused as to why the difference exists.

Steps to Reproduce:

• Go through the GitHub flow's for reconfiguring 2FA
• On the QR code page, do not use the QA code but click for text code and copy that
• Insert the secret manually into Google Authenticator and triple check it
• Insert it also into the code above and quadruple check it
• Confirm they do not match

[TomasHubelbauer]

Interestingly, I have the same problem with SpeakEasy: speakeasyjs/speakeasy#102. NOTP and SpeakEasy give me the same code, but it is not accepted by GitHub and is different from Google Authenticator and Microsoft Authenticator, which both give me the same, valid, code.

[TomasHubelbauer]

Sorry, I didn't decode the secret from Base32 to ASCII. (Thank you @markbao)