5

I just recovered from a headache after realizing the code given by Google Authenticator on my new phone is different than the one on my old phone. Given how it works I thought they would be the same on both phones. How is it possible they aren't? Dropbox needed the code from my old phone even though I got it to give me the QR code to scan into Google Authenticator on my new phone (I think this is a bug in Droboxes design).

Community
  • 1
Celeritas
  • 10,039
  • 22
  • 77
  • 144
  • 1
    The accepted answer in the question that you linked actually explains why it would be different: "...the server and client share a secret value and a counter, which are used to compute a one time password independently on both sides. Whenever a password is generated and used, the counter is incremented on both sides..." – Purefan Feb 07 '17 at 08:56
  • @Purefan How would my google authenticator app know that I actually use one of the displayed codes? – Marcel Feb 07 '17 at 09:56
  • When you used your old code it became invalid. Unless you never enabled internet in your old phone and never enabled internet in your new phone they sync'ed at some point. – Purefan Feb 07 '17 at 10:07
  • 2
    @Purefan at no point does it say that the "secret" is different for each instance. – Celeritas Feb 07 '17 at 10:19
  • 1
    I fail to see why would you expect it to be the same secret. As I understand it the "secret" is generated when the QR code is scanned, that means that 2 scans equals to 2 different secrets, and since you need to do a scan to enable the second device you would effectively create a new "secret". – Purefan Feb 07 '17 at 10:31
  • 1
    The word "secret" doesn't mean it's unique each time it displays a QR code. – Celeritas Feb 07 '17 at 10:44
  • recovering from a headache as big as the OP's, in my case there were 2 people's devices generating "incorrect codes", even when scanning the QR codes again and again. The problem actually was incorrect date-time settings on those devices. Non-automatic time and neither automatic (or incorrect) timezones – jonayreyes Mar 29 '22 at 14:21

1 Answers1

1

You said, you got a new QR setup code? This invalidates the old one, at least with Google itself.

You should have kept the orginal QR setup code somewhere and used that to set up the Google Authenticator app on the new phone too. Then I would expect the display codes the same.

I have done like this on my various accounts with 2FA, and now have setup Google Authenticator on my 3rd phone without any access problems. I do not use Dropbox specifically however.

Marcel
  • 3,494
  • 1
  • 18
  • 35
  • I think dropbox has a bug. If you already have 2 factor auth enabled and you click to add another device for it, it doesn't make sense the new device's doesn't work. – Celeritas Feb 07 '17 at 10:20
  • @Celeritas This really sounds like design flaw on dropboxes behalf. I never needed to tell any of my 2FA enabled sites that I have a new device. Just scanned the original setup QR code on the new phone, and voila, just worked. – Marcel Feb 07 '17 at 10:25