3
I use Google Authenticator currently for 2FA, things like connecting to VPN etc. I wanted to see if I could get the six digit code on my OSX box but for some reason oathtool
never returns the same value as Authenticator. And the Authenticator code works, the oathtool
one doesn't.
Interestingly, I've also tried in an iOS simulator with https://github.com/mattrubin/Authenticator on the same system and the code it produces agrees with oathtool
and not Authenticator.
I suspected maybe this a time sync issue, but after manually syncing my OSX time, the code is the same. I'm wondering if maybe there are default parameters in the TOTP algorithm that don't match, but I don't know what they'd be.
The oathtool
command outputs something like the following
% oathtool --verbose --base32 --totp "$SECRET"
Hex secret: ...
Base32 secret: ...
Digits: 6
Window size: 0
Step size (seconds): 30
Start time: 1970-01-01 00:00:00 UTC (0)
Current time: 2016-10-20 22:27:22 UTC (1477002442)
Counter: 0x2EF3E06 (49233414)
(Note, $SECRET
above is the same value used to generate the QR code that Authenticator used.)
Any reason why these wouldn't agree?
Update
I tried to fiddle with the time 30 seconds on either side of my system's time using
oathtool --now "$(perl -e'use DateTime; print DateTime->now()->subtract(seconds=>30)->strftime( "%Y-%m-%d %H:%M:%S %Z" )')" -b --totp $SECRET -w 20|sort
The perl above generates time in the format of
2016-10-20 23:36:15 UTC
I also output 20 numbers each time, but none of them seemed to match what I have in Authenticator.
I assume your using a Google Authenticator on a phone? TOTP basically works by providing the current time ( from Google in the case of a Google Authenticator specifically) and your secret code. There is other stuff involved, a full explanation of TOTP, is best left to another question. Does your system time and the time source from Google agree upon the UTC time? Try increasing the number of codes you generate, and manually modify the current time, by 30 seconds before and after the actual current time and post the reslts. – Ramhound – 2016-10-20T22:55:58.083
right, Authenticator is running from a phone. ok, I'll give that a shot, thanks – jar – 2016-10-20T23:05:18.980
If you have access to a program like VMWare, load up a Windows Trial VM, and use WinAuth. See if that agrees. You sure the secret is correct? – Ramhound – 2016-10-20T23:53:35.690
Note that Google Authenticator has a "sync time against Google" option. Try that, just in case. But other than that, the Google app actually doesn't support anything but the defaults: 6 digits, 30s step. – user1686 – 2016-10-21T04:47:09.597
1well thanks Ramhound for your thoughts, and sorry to waste your time... this turns out to be a pebkac issue, heh. The secret was wrong, I had been referencing the wrong chart/secret/QR URL. I had forgotten about a reset to my creds that had occurred. I punched in the right secret and all is well. – jar – 2016-10-21T11:44:33.223