2

I recently turned on the multi-factor authentication on NordVPN and I use Authy for the authenticator. After scanning the QR code on the website, I found that the icon displayed in the Authy app was of "Best Auto Sales, LLC" instead of NordVPN (the mountain one).

The authentication was working properly. I typed an incorrect code on purpose and NordVPN didn't allow me to log in. Is it normal to have an icon that is completely irrelevant on the authenticator?

schroeder
  • 123,438
  • 55
  • 284
  • 319
Gary Hu
  • 23
  • 2

1 Answers1

2

Most OTP 2FA systems make use of a the otpauth uri. More details can be found here.

This URI is formated as otpauth://TYPE/LABEL?PARAMETERS

eg: otpauth://totp/Example:alice@google.com?secret=0123456789ABCDEF&issuer=Example&foo=Bar

if you scan the QR code with a standard QR code scanner rather than authy, the resulting string will looks something like this:

otpauth://totp/Example:alice@google.com?secret=0123456789ABCDEF&issuer=Example

if you add this to the end following url

https://www.google.com/chart?chs=200x200&chld=M|0&cht=qr&chl=<OTPAUTH STRING HERE>

it will build a QR code eg:

QR Code

It would be my best guess that authy is attempting to use the LABEL portion of the uri to populate the icon and for whatever reason NordVPN's uri deviates from the template that authy built its code around.

You could tamper with the URI in an attempt to get it to populate the icon correctly, or you could change the icon manually per Authy Support

CaffeineAddiction
  • 7,517
  • 2
  • 20
  • 40
  • Would it be possible to launch a MITM attack where a compromsied domain's icon would show up? – schroeder Sep 03 '21 at 15:49
  • @schroeder I would say that it would be highly highly unlikely. Authy, as well as most 2fa apps like it stores the secret locally and generate nonce by hashing it and a the current time. The icon is just a label on this locally stored data. – CaffeineAddiction Sep 03 '21 at 15:54
  • Thanks. I'm also writing to the Authy support and waiting for their reply. Displaying a wrong icon may be an indication that the app isn't getting the right code, which concerned me. – Gary Hu Sep 04 '21 at 08:17
  • 3
    Authy's support replied to me and said the app searched for the icon with the title of the account I try to register as the keyword. For NordVPN, the keyword was "Nord Account: [my email address]", and the app looked for the icon with "Nord Account" and so the correct icon didn't come out. As long as I manually searched for the icon with keyword "NordVPN", the correct one came out. Thanks, CaffeineAddiction. Your guess was correct. – Gary Hu Sep 09 '21 at 08:38