I think I've created the *least* secure multi-factor authentication code. Please can you try adding this to your MFA app and tell me if it *doesn't* work. THANKS GANG! #InfoSec #CyberSecurity #TOTP #MFA #2FA - ThreadSky

Edent.mastodon.social.ap.brid.gy • 12 days ago

I think I've created the *least* secure multi-factor authentication code.

Please can you try adding this to your MFA app and tell me if it *doesn't* work.

THANKS GANG!

#InfoSec #CyberSecurity #TOTP #MFA #2FA

Comments

dan.m.danq.me.ap.brid.gy•11 days ago

https://mastodon.social/@Edent KeePassDX initially appeared not to work because the UI won't allow a key size of less than 6 digits, but after manually overriding the `otp` attribute to read `key=ABCDEFGHIJKLMNO=&size=1&step=120` I was able to make it generate 1-digit codes with a 120-second duration.

Edent.mastodon.social.ap.brid.gy•11 days ago

https://m.danq.me/@dan size and step rather than digits and period?!

dan.m.danq.me.ap.brid.gy•11 days ago

https://mastodon.social/@Edent Yeah, KeePassDX has its own syntax for storing the data, for compatibility with a WAY-old plugin that KeePass (classic) used to use.

bowsy.co.uk•12 days ago

"Cannot interpret QR code" - Google Authentictor on Android

techviator.noc.social.ap.brid.gy•11 days ago

https://mastodon.social/@Edent Samsung Pass accepts it, shows 1 digit code with 120 seconds timeout. OneUI 6.1, Android 14. No screenshot allowed.

Edent.mastodon.social.ap.brid.gy•4 days ago

Thanks for all the feedback.
Based on this, I'm creating a TOTP test suite.

The basic idea is to create a bunch of optauth:// URls, encoded as QR codes, to see if your MFA app will handle them appropriately.

Edent.mastodon.social.ap.brid.gy•2 days ago

OK! It is ready to play with!

A Time-based One Time Password (TOTP) test suite. If you have an MFA app, I'd love to know where it fails with these tests.

https://edent.codeberg.page/TOTP_Test_Suite/

Very bare-bones. v0.01 quality. Feedback and more tests welcome.

tychotithonus.infosec.exchange.ap.brid.gy•12 days ago

https://mastodon.social/@Edent

Edent.mastodon.social.ap.brid.gy•12 days ago

https://infosec.exchange/@tychotithonus sorry, I should have been more clear. What's the name of the app and the OS you're using?

tychotithonus.infosec.exchange.ap.brid.gy•12 days ago

https://mastodon.social/@Edent Whoops, inappropriate use of alt text. Authy (in this case, Android)

nemo.tatooine.club.ap.brid.gy•12 days ago

https://mastodon.social/@Edent Tofu 1.11 / iOS 18.3.1 doesn't scan. Throws an "Invalid QR Code" error.

This is the code that trips: https://github.com/iKenndac/Tofu/blob/main/Tofu/Models/Account.swift#L16-L57

aburka.hachyderm.io.ap.brid.gy•12 days ago

https://mastodon.social/@Edent I don't really think I'm going to scan something you describe as "least secure"...

Edent.mastodon.social.ap.brid.gy•12 days ago

https://hachyderm.io/@aburka COWARD!

tshirtman.mas.to.ap.brid.gy•11 days ago

https://mastodon.social/@Edent FreeOTP on android tells me that it received an invalid token.

dominicsayers.mastodon.social.ap.brid.gy•11 days ago

@Edent OxygenOS 14.0 results:

1. Google Authenticator rejects it
2. Microsoft Authenticator adds it without complaint
3. BitWarden adds it as an otpauth://... URI

zerodogg.fosstodon.org.ap.brid.gy•11 days ago

https://mastodon.social/@Edent https://fosstodon.org/@ente Auth on iOS adds it without complaining.

Edent.mastodon.social.ap.brid.gy•11 days ago

https://fosstodon.org/@zerodogg Does ente show it as a single digit code with a 120 second timeout?
(Sorry, I don't have an iOS device to test with.)

zerodogg.fosstodon.org.ap.brid.gy•11 days ago

https://mastodon.social/@Edent Yup

Posting Rules

Be respectful to others
No spam or self-promotion
Stay on topic
Follow Bluesky's terms of service

Comments

Posting Rules

Reply