Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Base32 secrets with a length not a multiple of 8 may produce incorrect codes #135

Open
tommilligan opened this issue Feb 5, 2021 · 0 comments
Open

Base32 secrets with a length not a multiple of 8 may produce incorrect codes #135

tommilligan opened this issue Feb 5, 2021 · 0 comments

Comments

@tommilligan
Copy link

Due to an underlying bad base32 implementation (speakeasyjs/base32.js#4), base32 encoded secrets that are not of length 8, 16, 24, 32 etc. may produce invalid codes.

This behaviour depends on the value of the secret itself. For a comparison with Python's pyotp libaray, see these examples: pyauth/pyotp#115

This may be the underlying cause of the following issues:

Example: an incorrect code is generated for the secret S46SQCPPTCNPROMHWYBDCTBZXV (length 26).

> speakeasy.totp({"secret":"S46SQCPPTCNPROMHWYBDCTBZXV","encoding":"base32","time":1612380872})
'184825'

The python pyotp library produces a different value for the same inputs.

In [16]: pyotp.totp.TOTP("S46SQCPPTCNPROMHWYBDCTBZXV").at(datetime.fromtimestamp(1612380872))
Out[16]: '100172'
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
1 participant
@tommilligan