samples icon indicating copy to clipboard operation
samples copied to clipboard

Published 20 hours ago verified publisher icon azure-ad-b2c

TOTP secret with 26 Char length is not working with B2C

Open jeeszacharia opened this issue 2 years ago • 0 comments
trafficstars

Azure AD B2C out-of-the-box TOTP Authenticator not supporting 26 Char length secret. Sample followed - https://github.com/azure-ad-b2c/samples/blob/master/policies/totp/policy/TrustFrameworkExtensions_TOTPMigration.xml

If the secret char length is 8,16,24 or 32 the OTP code entered works

  1. Create a valid secret(base32) 26 Char length secret, for testing w used this link (https://totp.danhersam.com/).

  2. Add the secret to google Authenticator app to get OTP code or use the above-mentioned URL to get OTP code.

  3. Use the secret in Technical profile “AzureMfa-BeginVerifyOTP” from the sample, either follow the exact steps in sample or hardcode the secret in below technical profile <TechnicalProfile Id="AzureMfa-BeginVerifyOTP"> <DisplayName>Create Device</DisplayName> <Protocol Name="Proprietary" Handler="Web.TPEngine.Providers.AzureMfaProtocolProvider, Web.TPEngine, Version=1.0.0.0, Culture=neutral, PublicKeyToken=null" /> <Metadata> <Item Key="Operation">BeginVerifyOTP</Item> </Metadata> <InputClaims> <InputClaim ClaimTypeReferenceId="secretKey" /> <InputClaim ClaimTypeReferenceId="objectId" /> <InputClaim ClaimTypeReferenceId="userPrincipalName" /> </InputClaims> </TechnicalProfile>

  4. Run the user journey, logging in using a user ID and password, on the OTP verification screen enter the OTP code from google Authenticator or the online tool for the secret you added in step 2.

  5. Observe the error "Wrong code entered" error.

  6. Repeat the same step with 8,16,24 or 32 char length and observe the B2C validate the OTP code.

NOTE : AAD TOTP Authenticator works fine.

Secret tests were performed.

  1. 8 Char Length secret - JHDGFDHJ - - Worked(OTP code accepted by B2C)
  2. 16 Char Length secret :JHDGFDHJF3JHFGD -- Worked(OTP code accepted by B2C)
  3. 24 Char Length secret :JHDGFDHJF3JHFGDJHFGJHDJ2 - - Worked(OTP code accepted by B2C)
  4. 26 Char length secret : JHDGFDHJF3JHFGDJHFGJHDJ23J - Not working(Wrong code entered)
  5. 32 Char Length secret : JHDGFDHJF3JHFGDJHFGJHDJ23JHHGJHD - Worked(OTP code accepted by B2C)

jeeszacharia avatar Jul 26 '23 02:07 jeeszacharia