twofactor_totp
twofactor_totp copied to clipboard
nextcloud
App not working across timezones
This bug is unexpected to me so maybe there is another explanation.
The situation: I have a nextcloud server in Europe My smartphone (and I) are in Australia
The problem: The TOTP is not accepted and login is not allowed
I have tried with google authenticator and FreeOTP. Same problem in both cases.
I have checked the clock synchronisations between server and phone. They are perfectly synchronised.
However they are in very different timezones. I would have assumed that both your nextcloud app and FreeOTP/Google Authenticator used UTC as their timebase, but perhaps I am wrong.
If so, may I suggest if possible to use UTC as the timebase?
does you phone and your server are both timezone aware? because normally PHP's time command (which is pretty substancial to this because totp uses the linux timestamp, which is UTC by definition) only throws problems with U2F if the time isnt proper. I would suggest to throw a test php file which essentially just contains
<?php
echo (time());
?>
and compare that to a live linux timestamp which you got from some website. if it's wrong by more than just a few minutes check the Timezone in your php.ini.
also, of course if your smartphone doesnt have the correct timezone set, it will fail instead with generating the code because it cannot know the correct UTC if you have the wrong timezone set.
Hello, Thanks for the reply. I ran your php code and compared it to http://www.unixtimestamp.com/. The result is an exact match. I am using NTP so I would have been surprised if it wasnt the case, but a good thing to check anyway.
I also double checked my smartphone and the timezone is correct (and set automatically).
Cheers
okay this is really weird, you server throws the right unix time so the server doesnt have any timezone fails and your phone seems to be correct too. although it certainly works fine for the server I use and I honestly dont even know where that thing is standing around
@ChristophWurst is there some kind of debug option we could try to trace the problem?
the last thing that it could be is that the secret is wrong, which might happen in case you may have ticked the thing off and on again (maybe it also might happen if the plugin gets disabled on an update, although I didnt try that), the best bet is now to try to tick it off, delete your TOTP entries for the cloud in your app and re-setup the whole thing.
@ChristophWurst is there some kind of debug option we could try to trace the problem?
If you mean something like tell my why this OTP is invalid, no, I'm afraid that's not supported by the upstream library we use.
well that's kinda sad, would be awesome if we could just slap an echo (or var_dump) to the values it throws into the HMAC and compare that to whatever we actually have on the phone, that's at least what I usually do when I have problems. a direct why is also impossible due to how this stuff works. it's basically an Hmac with the secret and the unixtime, and it will essentially just compare the hmac with whatever the user entered, same as with passwords in their hashed form you cannot tell if the hash is screwed, the salt is wrong or just the password
@kworm1 could you maybe give me a user (no storage or anything required except of course totp) and try a few things? essentially just playing around with the TOTP
Hmm,
it actually works now. I hate this, but I can't really tell you what made it work.
I recreated and re-synced the secrets a number of times. I also uninstalled and reinstalled the app. I might also have switched phone, but I am not entirely sure about that.
I will be sure to let you know if it reappears, but for now it seems to be working.
Thanks for your help and sorry for the sudden fix without reason.
cheers
On 12 May 2017 at 23:21, My1 [email protected] wrote:
well that's kinda sad, would be awesome if we could just slap an echo to the values it throws into the HMAC and compare that to whatever we actually have on the phone, that's at least what I usually do when I have problems.
— You are receiving this because you authored the thread. Reply to this email directly, view it on GitHub https://github.com/nextcloud/twofactor_totp/issues/171#issuecomment-301074541, or mute the thread https://github.com/notifications/unsubscribe-auth/AGoaKwoLLZZ0Jla1OoTbylrKswgwCzboks5r5FzJgaJpZM4NO3-f .
I can't confirm this. Sitting in India now my server is in Europe, TOTP is working on my testing an my production settup fine.
