starred/vaultwarden
1
0
Fork 0
mirror of https://github.com/dani-garcia/vaultwarden.git synced 2026-04-26 01:35:54 +03:00
Code Issues 39 Projects Releases 5 Packages Wiki Activity

[GH-ISSUE #466] Cannot enable 2FA with Android Auth App #284

New issue
Closed
opened 2026-03-03 01:27:36 +03:00 by kerem · 9 comments
kerem commented 2026-03-03 01:27:36 +03:00
Owner
Copy link

Originally created by @crytectobi on GitHub (Apr 23, 2019).
Original GitHub issue: https://github.com/dani-garcia/vaultwarden/issues/466

Hi,
I cannot activate 2FA with my Android phone and the Microsoft Authenticator app.
The log says:
[2019-04-23 19:35:27][rocket::rocket][INFO] PUT /api/two-factor/authenticator application/json; charset=utf-8:
[2019-04-23 19:35:27][_][INFO] Matched: PUT /api/two-factor/authenticator (activate_authenticator_put)
[2019-04-23 19:35:27][bitwarden_rs::error][ERROR] Invalid TOTP code. Invalid TOTP code

Bitwarden runs in a docker hosted on a openmediavault server.
That server is in time sync, the android phone has also the correct time.

Can I set the correct timezone in the bitwarden container? Is TZ env working or is this not implemented?
The openmediavault server is running in the Europe/Berlin timezone, phone as well. When the docker container runs in another timezone it might not work, right? Or any other ideas? :)

Originally created by @crytectobi on GitHub (Apr 23, 2019). Original GitHub issue: https://github.com/dani-garcia/vaultwarden/issues/466 Hi, I cannot activate 2FA with my Android phone and the Microsoft Authenticator app. The log says: [2019-04-23 19:35:27][rocket::rocket][INFO] PUT /api/two-factor/authenticator application/json; charset=utf-8: [2019-04-23 19:35:27][_][INFO] Matched: PUT /api/two-factor/authenticator (activate_authenticator_put) [2019-04-23 19:35:27][bitwarden_rs::error][ERROR] Invalid TOTP code. Invalid TOTP code Bitwarden runs in a docker hosted on a openmediavault server. That server is in time sync, the android phone has also the correct time. Can I set the correct timezone in the bitwarden container? Is TZ env working or is this not implemented? The openmediavault server is running in the Europe/Berlin timezone, phone as well. When the docker container runs in another timezone it might not work, right? Or any other ideas? :)
kerem closed this issue 2026-03-03 01:27:36 +03:00
kerem commented 2026-03-03 01:27:37 +03:00
Author
Owner
Copy link

@shauder commented on GitHub (Apr 24, 2019):

Log into the docker shell and take a look at the time there. I do set my timezone for my docker container. Examples from my docker-compose.

    environment:
      - TZ=${TIME_ZONE}

    volumes:
      - /etc/localtime:/etc/localtime:ro

calvin% docker exec -ti bitwardenrs /bin/sh 
/ # date
Wed Apr 24 19:18:32 UTC 2019
<!-- gh-comment-id:486389668 --> @shauder commented on GitHub (Apr 24, 2019): Log into the docker shell and take a look at the time there. I do set my timezone for my docker container. Examples from my docker-compose. ``` environment: - TZ=${TIME_ZONE} ``` ``` volumes: - /etc/localtime:/etc/localtime:ro ``` ``` calvin% docker exec -ti bitwardenrs /bin/sh / # date Wed Apr 24 19:18:32 UTC 2019 ```
kerem commented 2026-03-03 01:27:37 +03:00
Author
Owner
Copy link

@crytectobi commented on GitHub (Apr 24, 2019):

Time in the docker container seems correct:
docker exec -it Bitwarden date
Wed Apr 24 21:24:32 CEST 2019
It is about a minute off between my computer and the server. But that offset is okay for TOTP right?
Timezone is also correct.
EDIT:
Is port 3012 neccessary for this to work?

<!-- gh-comment-id:486392660 --> @crytectobi commented on GitHub (Apr 24, 2019): Time in the docker container seems correct: docker exec -it Bitwarden date Wed Apr 24 21:24:32 CEST 2019 It is about a minute off between my computer and the server. But that offset is okay for TOTP right? Timezone is also correct. EDIT: Is port 3012 neccessary for this to work?
kerem commented 2026-03-03 01:27:37 +03:00
Author
Owner
Copy link

@shauder commented on GitHub (Apr 24, 2019):

I believe a minute can cause issues. Port 312 is just for web sockets.

<!-- gh-comment-id:486431510 --> @shauder commented on GitHub (Apr 24, 2019): I believe a minute can cause issues. Port 312 is just for web sockets.
kerem commented 2026-03-03 01:27:37 +03:00
Author
Owner
Copy link

@dani-garcia commented on GitHub (Apr 24, 2019):

The TOTP codes are generated per 30 second block, and at this time we only check the current time block, so any time deviation of over 30 seconds will not work.

Some implementations also check X time blocks before and after the current one, which would be a bit more insecure, but more convenient if the clients or the server aren't syncing their time with an NTP server.

We could potentially improve the situation by also checking the 2 blocks immediate to the current one, which would give a margin of 1.5 minutes, and it seems like an acceptable compromise between security and convenience.

<!-- gh-comment-id:486439201 --> @dani-garcia commented on GitHub (Apr 24, 2019): The TOTP codes are generated per 30 second block, and at this time we only check the current time block, so any time deviation of over 30 seconds will not work. Some implementations also check X time blocks before and after the current one, which would be a bit more insecure, but more convenient if the clients or the server aren't syncing their time with an NTP server. We could potentially improve the situation by also checking the 2 blocks immediate to the current one, which would give a margin of 1.5 minutes, and it seems like an acceptable compromise between security and convenience.
kerem commented 2026-03-03 01:27:37 +03:00
Author
Owner
Copy link

@crytectobi commented on GitHub (Apr 25, 2019):

I fixed the offset, now it worked. I didn't know the time window is so small, most of the 2FA services I used also allow, as you mentioned, the block before and after.
Btw the offset was not a minute, it was only about 35 seconds.
Thank you for pointing this out. :)

<!-- gh-comment-id:486565856 --> @crytectobi commented on GitHub (Apr 25, 2019): I fixed the offset, now it worked. I didn't know the time window is so small, most of the 2FA services I used also allow, as you mentioned, the block before and after. Btw the offset was not a minute, it was only about 35 seconds. Thank you for pointing this out. :)
kerem commented 2026-03-03 01:27:37 +03:00
Author
Owner
Copy link

@SebastianS90 commented on GitHub (Apr 25, 2019):

Right now it is possible to use the same token multiple times within the 30 seconds window. That opens an attack vector where an attacker gets password and current 2FA token (keylogger, hidden camera pointed on keyboard, just watch the victim typing, ...) and uses these to immediately login to the victim's account. By widening the window to 1.5 minutes this attack would gain more importance.

You can rule out that attack vector by saving the timestamp of the last used token on the server and for the next 2FA challenge enforce that a token for a later timestamp must be used. This prevents reuse of 2FA tokens.

lower = max (last_used_timestamp + 1, current_timestamp() - window);
upper = current_timestamp() + window;
success = false;
for (t = lower; t <= upper; t++) {
    if (check(provided_token, secret, t)) {
      success = true;
      save_timestamp(t);
      break;
    }
}
<!-- gh-comment-id:486598164 --> @SebastianS90 commented on GitHub (Apr 25, 2019): Right now it is possible to use the same token multiple times within the 30 seconds window. That opens an attack vector where an attacker gets password and current 2FA token (keylogger, hidden camera pointed on keyboard, just watch the victim typing, ...) and uses these to immediately login to the victim's account. By widening the window to 1.5 minutes this attack would gain more importance. You can rule out that attack vector by saving the timestamp of the last used token on the server and for the next 2FA challenge enforce that a token for a later timestamp must be used. This prevents reuse of 2FA tokens. ``` lower = max (last_used_timestamp + 1, current_timestamp() - window); upper = current_timestamp() + window; success = false; for (t = lower; t <= upper; t++) { if (check(provided_token, secret, t)) { success = true; save_timestamp(t); break; } } ```
kerem commented 2026-03-03 01:27:37 +03:00
Author
Owner
Copy link

@BlackDex commented on GitHub (Oct 7, 2019):

Is this still an issue?
As @dani-garcia posted on the 24th of April about allowing previous and next also.
I think this is kinda the default according to the wiki page:
https://en.wikipedia.org/wiki/Time-based_One-time_Password_algorithm#Practical_considerations

It also is mentioned in the RFC6238: https://tools.ietf.org/html/rfc6238#section-6
There they talk about even going 2 time-steps back and forward. That would be to much if you ask me, since that kind of time drift will probably only occur with hardware-totp tokens which are older.
And not with the software/apps that will show the tokens most people use.

And if we implement the token-used-cache as explained by @SebastianS90, that would rule-out some hack-attempts. I even think that this could be a default item to include. Since, we just want it to be used ONCE, and not Twice.

<!-- gh-comment-id:539087892 --> @BlackDex commented on GitHub (Oct 7, 2019): Is this still an issue? As @dani-garcia posted on the 24th of April about allowing previous and next also. I think this is kinda the default according to the wiki page: https://en.wikipedia.org/wiki/Time-based_One-time_Password_algorithm#Practical_considerations It also is mentioned in the RFC6238: https://tools.ietf.org/html/rfc6238#section-6 There they talk about even going 2 time-steps back and forward. That would be to much if you ask me, since that kind of time drift will probably only occur with hardware-totp tokens which are older. And not with the software/apps that will show the tokens most people use. And if we implement the token-used-cache as explained by @SebastianS90, that would rule-out some hack-attempts. I even think that this could be a default item to include. Since, we just want it to be used ONCE, and not Twice.
kerem commented 2026-03-03 01:27:38 +03:00
Author
Owner
Copy link

@crytectobi commented on GitHub (Oct 8, 2019):

@BlackDex from my side the issue is fixed/closed, but there should be enhancements I guess.

<!-- gh-comment-id:539330481 --> @crytectobi commented on GitHub (Oct 8, 2019): @BlackDex from my side the issue is fixed/closed, but there should be enhancements I guess.
kerem commented 2026-03-03 01:27:38 +03:00
Author
Owner
Copy link

@dani-garcia commented on GitHub (Apr 8, 2020):

TOTP has been checking both the previous and next slots for some time now so this can be closed.

<!-- gh-comment-id:610947229 --> @dani-garcia commented on GitHub (Apr 8, 2020): TOTP has been checking both the previous and next slots for some time now so this can be closed.
Sign in to join this conversation.
No Branch/Tag specified
Branches Tags
main
revert-7033-patch-1
cached-config-operations
test_dylint
1.35.8
1.35.7
1.35.6
1.35.5
1.35.4
1.35.3
1.35.2
1.35.1
1.35.0
1.34.3
1.34.2
1.34.1
1.34.0
1.33.2
1.33.1
1.33.0
1.32.7
1.32.6
1.32.5
1.32.4
1.32.3
1.32.2
1.32.1
1.32.0
1.31.0
1.30.5
1.30.4
1.30.3
1.30.2
1.30.1
1.30.0
1.29.2
1.29.1
1.29.0
1.28.1
1.28.0
1.27.0
1.26.0
1.25.2
1.25.1
1.25.0
1.24.0
1.23.1
1.23.0
1.22.2
1.22.1
1.22.0
1.21.0
1.20.0
1.19.0
1.18.0
1.17.0
1.16.3
1.16.2
1.16.1
1.16.0
1.15.1
1.15.0
1.14.2
1.14.1
1.14
1.13.1
1.13.0
1.12.0
1.11.0
1.10.0
1.9.1
1.9.0
1.8.0
1.7.0
1.6.1
1.6.0
1.5.0
1.4.0
1.3.0
1.2.0
1.1.0
1.0.0
0.13.0
0.12.0
0.11.0
0.10.0
0.9.0
Labels
Clear labels   
SSO

   
Third party

   
better for forum

   
bug

   
bug

   
documentation

   
duplicate

   
enhancement

   
future Vault

   
future Vault

   
future Vault

   
good first issue

   
help wanted

   
low priority

   
notes

   
pull-request

Mirrored from GitHub Pull Request

  
question

   
troubleshooting

   
wontfix
No labels
SSO
Third party
better for forum
bug
bug
documentation
duplicate
enhancement
future Vault
future Vault
future Vault
good first issue
help wanted
low priority
notes
pull-request
question
troubleshooting
wontfix
Milestone
Clear milestone
No items
No milestone
Projects
Clear projects
No items
No project
Assignees
Clear assignees
No assignees
1 participant
Notifications
Due date
The due date is invalid or out of range. Please use the format "yyyy-mm-dd".

No due date set.

Dependencies

No dependencies set.

Reference
starred/vaultwarden#284
No description provided.