search

heapsource / active_model_otp

Adds methods to set and authenticate against one time passwords (Two-Factor Authentication). Inspired in AM::SecurePassword
MIT License
769 stars 81 forks source link

Update otp_secret_key #33

Closed sahilchopra closed 3 years ago

sahilchopra commented 8 years ago

After updating otp_secret_key to ROTP::Base32.random_base32. OTP doesn't match with Google Authenticator OTP

stulentsev commented 5 years ago

Did you re-bind this user's authenticator with the new secret key?

pedrofurtado commented 3 years ago

Hey everyone! Is this still a issue? Or we can close it?

diegopolido commented 3 years ago

Hey @pedrofurtado Seems it is! I have bunch of customers having this same problem (but many other customers got the match to enable the 2fa)! I did this:

User.find_each { |user| user.update_column(:otp_secret_key, User.otp_random_secret) }

Seems this User.otp_random_secret generates the same pattern as ROTP::Base32.random_base32

Also I did some investigations and seems there's some delay between Google Authenticator (i.e. the user..otp_code is different of Google Authenticator App but same after bunch of seconds (and increasing drift for user.authenticate_otp doesn't work)

Could someone help me? I'm allowing users to operating the system without 2FA because of that error.

pedrofurtado commented 3 years ago

Hi @diegopolido ! Thanks for feedback 🤝

Could you confirm if this occurs with you in latest stable version (v2.1.1 at this moment)? If so, maybe we can help in a more assertive way with a minimalistic reproducible repo, what do you think?

because here, we are using active_model_otp for a long time, and we never faced that issue. So, the mini-repo can help us to catch the root cause 🕵️ 🔍

pedrofurtado commented 3 years ago

Anyway, when we regenerate the otp_secret_key for a specific User, we must re-bind the new QR Code again with authenticator app, to make them (authenticator app + backend) in sync 👍

Regenerating the otp secret key, without rebinding the QR Code (that will be different of previously used) in authenticator app, will invalidate all attempts to 2fa in your application.

I don't know if it's related to this issue, but this is a important note to be careful🍻

diegopolido commented 3 years ago

yeah.. I told the client to delete the old codes from the App and then read the code again. didn't work.

pedrofurtado commented 3 years ago

Reference for guys with this problem of delay (clock time) between Google Auth app and backend: https://github.com/heapsource/active_model_otp/issues/46#issuecomment-815852023

Feel free to reopen this issue, if this link above not worked for your scenario 🤝