0

I'm currently testing an OTP scenario using the website https://otptest.de/ and the OTP.NET library. However, I'm consistently getting different OTP PINs between my code and the website. I have provided my code in the following gist: text

I would appreciate any guidance on how to resolve this discrepancy and ensure that the OTP PIN generated by my code matches the one generated by the otptest.de website.

Tried otp scenario. Didn't generate same one with the website.

Steve Vinoski
  • 19,847
  • 3
  • 31
  • 46
Emre Özgürüoğlu
  • 17
  • 7
  • 1
    OTP.NET works, as long as you use the *correct* key. That key may or may not be BASE32-encoded. Post minimal code that reproduces the problem in the question itself, not in a link to a gist that may disappear in 15 minutes. Post the `new Totp(...)` and `totp.ComputeTotp();` calls, what you expected and what you got – Panagiotis Kanavos Jun 13 '23 at 08:40
  • Please don't post links to your code. Instead, include the actual code in this question. – DavidG Jun 13 '23 at 08:46
  • @Panagiotis Kanavos thanks resolve issue. I use Base32Encoding.ToBytes and resolved. Many thanks. – Emre Özgürüoğlu Jun 13 '23 at 08:54

2 Answers2

1

I've run into this myself. The "secret" provided by most OTP generators is BASE32-encoded. OTP.NET expects the decoded bytes as a secret.

The following code produces the same token as the test site. It uses the Base32Encoding helper class to decode the secret into the actual bytes:

var base32Bytes = Base32Encoding.ToBytes("MYM5VAQ");
var otp = new Totp(base32Bytes);
    
var token=otp.ComputeTotp();
Panagiotis Kanavos
  • 120,703
  • 13
  • 188
  • 236
  • Many thanks. Normally I used on problem Encoding.ASCII.GetBytes, I think that's why my code not worked. – Emre Özgürüoğlu Jun 13 '23 at 08:56
  • 1
    `.ASCII.GetBytes` guarantees lost data. It refers to the 7-bit US-ASCII codepage that can't even handle all English words, like `naïve`. In the case of randomly generated keys the chance of mangling a byte is 50% (all values above 0x7F) – Panagiotis Kanavos Jun 13 '23 at 08:58
0

There are a few potential issues I see here:

Different OTP algorithms - The website may be using a different OTP algorithm than OTP.NET. The most common ones are TOTP (Time-based One-time Password) and HOTP (HMAC-based One-time Password). Make sure you are using the same algorithm in your code as the website.

Different time intervals - For TOTP, the time interval plays a role in the OTP generation. Ensure you are using the same time interval (usually 30 or 60 seconds) in your code as the website.

Different secret keys - The secret key is the most important part of OTP generation. Make sure the key you are using in your code exactly matches the one provided by the website.

Time synchronization issues - For TOTP, any time differences between your system clock and the server clock can cause issues. Try to sync your system time as precisely as possible.

Looking at your code, a few things stand out:

You are using TOTP, but don't specify a time interval. The default is 30 seconds, so if the website is using 60 seconds that would cause a discrepancy.

You generate a new secret key, instead of using the one provided by the website. This will definitely generate different OTPs.

There could be time sync issues, though less likely given that you generate a new OTP every 2 seconds.

My recommendations would be:

Get the secret key from the website and use that exact key in your code.

Specify the time interval, e.g. totp.GenerateTotp(key, 60).

Double check that your system time is precise.

Generate OTPs at the same interval as the website, e.g. every 60 seconds for a T60 key.

Making these changes should resolve the issue and have your code generate the same OTPs as the website.

Good luck to you

Samaher AlB
  • 66
  • 6
Imad Khalil
  • 11
  • 1
  • This is a ChatGPT answer that doesn't even understand the question – Panagiotis Kanavos Jun 13 '23 at 08:48
  • I'm new here and just wanted help. – Imad Khalil Jun 13 '23 at 09:04
  • How does any of this help? Such non-answers are so bad they're actually banned [Temporary policy: ChatGPT is banned](https://meta.stackoverflow.com/questions/421831/temporary-policy-chatgpt-is-banned?cb=1). The "recommendations" will only cause people to get even more confused and lose even more time – Panagiotis Kanavos Jun 13 '23 at 09:11
  • As I told you earlier, I did not know the privacy policy about that. I will be more careful next time. I think the matter does not need this hostility. – Imad Khalil Jun 13 '23 at 09:21