search

tutao / tutanota

Tuta is an email service with a strong focus on security and privacy that lets you encrypt emails, contacts and calendar entries on all your devices.
https://tuta.com
GNU General Public License v3.0
6.09k stars 525 forks source link

2FA setup issues #1943

Closed nvhaver closed 3 years ago

nvhaver commented 4 years ago

Similar issues:

Bug in web app Setting up 2FA does not seem to be working correctly. (Response codes from authenticator are being rejected)

Describe the bug Using the information provided by the Tutanota client, multiple TOTP clients do not seem to be able to correctly set up their TOTP generator.

To Reproduce Steps to reproduce the behavior:

  1. Go to 'Settings' > 'Login'
  2. Click on 'Add second factor' (the '+' sign)
  3. Scan the QR code using either Aegis OTP or Google Authenticator or Microsoft Authenticator
  4. Fill in the code provided by the authenticator
  5. See error: "The TOTP code you entered is invalid. Please correct it."

Expected behavior The response code provided in step 4 is accepted.

Desktop:

Smartphone:

Additional context As listed above, similar issues seem to have been fixed in the past. I have verified that my system clock is not out of sync.

The only TOTP client that seems to be able to work with the secrets generated by Tutanota is my KeePassXC's TOTP feature (using 'Default RFC 6238 token settings'). However, as this is where I store my passwords, I am reluctant to include my TOTP there as well (would still be single factor in my opinion). I would prefer using Aegis, as this tool allows me to verify the algorithm parameters after scanning the QR.

During debugging I stumbled upon an issue over on the KeePassXC Github on how they adapted their tool to handle Tutanota's tokens (amoung others). I did check the secret in Aegis after scanning the QR, but it seems to be correct. Perhaps this has something to do with the length of the generated OTP secrets?

Thanks in advance for your time and effort! Keep up the good work.

charlag commented 4 years ago

Hi I just tried Aegis and Google Authenticator on Android 9 and they worked from the first try. I always used FreeOTP+ without issues.

We are more strict checks for adding TOTP than when logging in (1 interval drift vs 2 intervals drift if I remember correctly). I would check for time differences between your devices because I don't see other reasons.

robfr77 commented 3 years ago

2FA TOTP is working on older iPhone model, following Tutanota documentation and ensuring all needed software updates are applied.

RelicCornhusk commented 3 years ago

I was also having the same problem but turned out there was a discrepancy of a few seconds or (maybe 1 minute) between devices, so I just set both to automatically determine the local time and it worked.

charlag commented 3 years ago

We allow for a drift up to a minute in each direction when setting it up and we don't plan to relax it further

nvhaver commented 2 years ago

After not looking at this issue for over a year, I came back to it to find that everything seems to be working now. I'm able to set up TOTP using Aegis. Not sure whether this is due to an update to Tutanota or Aegis, but I can confirm that the issue is completely resolved and the TOTP works as intended.