0

Background

I've been working on a project that requires OTP for authentication and I've been able to get it mostly working, except for a few minor details. I've been using PyOTP to use Time-Based OTP codes sent to Google Authenticator for this.

The Issue

I've run into a problem when I'm executing the program on 2 computers. One computer is my laptop (which I have at home), and the other is my work PC. My issue is that, whenever I am trying to authenticate the codes at work, my program returns that the codes aren't valid. They are shown as being valid at home however. I created the program on my home laptop.

Attempts to fix

I've made sure both computers and my phone's clocks were synced up before this was an idea. Timing is not an issue. Both computers and my phone use the same "secret key", so that is not an issue. I made a second key and linked it up with Google Authenticator along with the first key, and that didn't work (I believed the hashes may not be the same, and I believe that may still be an issue).

Hunches

I know that PyOTP does use SHA hashing (where exactly in the module, I don't know!), and I know SHA hashing doesn't produce the same hash across different devices, so I am wondering if that is the issue, that the hashes aren't the same. I also know MD5 hashing does work across devices, so it may be the case that it is the hashing that may need to be changed.

If anyone can help with this, please let me know! I will update this with the results of whatever methods are used!

  • 3
    I don’t know who told you ‘SHA hashing doesn’t produce the same hash’, but all the variants of SHA are equally as consistent when implemented properly. Reproducibility is one of the defining features of a secure hash. – Max Mar 22 '22 at 18:54
  • What Max said. Cryptographic hashing algorithms (which MD5, the SHA family, etc. are) always produce the same output for the same input, that's the point. – AKX Mar 22 '22 at 18:55
  • 1
    Anyway - please show us some code! – AKX Mar 22 '22 at 18:55

1 Answers1

-1

If you want to understand how TOTP actually works, check out these articles. The 1st one explains the gist of it. 2nd and 3rd go into all the technical details. Link to the 1st part:

https://prezu.ca/post/2021-07-30-totp-1/

From there just click Next to get to part 2 and then Next to get to part 3.

user18649476
  • 11
  • 1
  • Your answer could be improved with additional supporting information. Please [edit] to add further details, such as citations or documentation, so that others can confirm that your answer is correct. You can find more information on how to write good answers [in the help center](/help/how-to-answer). – Community Apr 01 '22 at 15:37