TOTP - Google Authenticator

[Pratap Konakala]

Hi Team,

We were using keycloak 11.0.0 version, enabled TOTP with google authenticator.

Authentication is failing with invalid authenticator code.

Also noticed that authentication is working with below configuration.

Look Ahead Window =2

OTP Token period = 60

with above configuration and after exactly half of period completes then passcode is accepted.

Please provide quick solution/feedback.

Thanks,

Pratap 

[Juan Pablo Gardella]

Check the server time is accurate. I had same problem, use NTP to keep clock synchronized.

--
You received this message because you are subscribed to the Google Groups "Keycloak User" group.
To unsubscribe from this group and stop receiving emails from it, send an email to keycloak-use...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/keycloak-user/b26b9004-583b-497f-8be6-967113483a00n%40googlegroups.com.

[Ionel GARDAIS]

Hi Pratap,

Do you use SHA256 or SHA512 as you OTP hash algorythm ? (instead of SHA1)

Google Authenticator does not seem to handle anything else than SHA1.

I suggest FreeOTP.

Ionel

---

De: "Pratap Konakala" <pratap.k...@gmail.com>
À: "keycloak-user" <keyclo...@googlegroups.com>
Envoyé: Vendredi 3 Septembre 2021 13:45:33
Objet: [*EXT*] [keycloak-user] TOTP - Google Authenticator

--

[Pratap Konakala]

Server time is in sync with client, secondly we are using SHA1 only.

[Pratap Konakala]

We have the above problem when we using reverse proxy.

Without reverse proxy google authenticator is working as expected.

[Ionel GARDAIS]

After some googling, it looks like Google Authenticator only allows 30s codes :

https://support.secureauth.com/hc/en-us/articles/360048565071-How-to-use-both-30-Second-and-60-Second-Intervals-for-Time-Based-One-Time-Passcode-2FA

"From that article, SecureAuth Authenticate allows for Any time interval to be used.

However, Google Authenticator and Microsoft Authenticator only allow for 30 Second time intervals."

It matches your observations.

Give a try to FreeOTP or change your OTP setup.

Ionel

---

De: "Pratap Konakala" <pratap.k...@gmail.com>
À: "keycloak-user" <keyclo...@googlegroups.com>

Envoyé: Vendredi 3 Septembre 2021 17:12:19
Objet: [*EXT*] [keycloak-user] Re: TOTP - Google Authenticator

--

You received this message because you are subscribed to the Google Groups "Keycloak User" group.
To unsubscribe from this group and stop receiving emails from it, send an email to keycloak-use...@googlegroups.com.

To view this discussion on the web visit https://groups.google.com/d/msgid/keycloak-user/5f2f09fd-87c7-4d95-8fca-1e31ac8773e5n%40googlegroups.com.

[Thomas Darimont]

Yes, google authenticator only supports a 30 second interval.

I filed an issue about this many moons ago but that's still not fixed.

https://github.com/google/google-authenticator/issues/521

Cheers,

Thomas

To view this discussion on the web visit https://groups.google.com/d/msgid/keycloak-user/843355669.1631890.1630683439824.JavaMail.zimbra%40tech-advantage.com.

[Pratap Konakala]

Thanks Ionel & Thomas.

Initially we tried with  OTP Token period = 30 only but it is not working then changed to 60 and it is working but not immediately as soon as we get passcode, need to wait for 15seconds then it will accept.

[Pratap Konakala]

Also i have restriction to use only Google Authenticator.

Alternatively i tried with FreeOTP also , it is also not working. Used SHA256

[Pratap Konakala]

FreeOTP works fine for IOS device , where as for andriod device works with second passcode only.

[piyush bakde]

hello,

I am Piyush, I am new to this open-source community and want to start with a contribution to open source. 

can anyone guide me with project installation and how to set up it on the local machine?

I went through the readme file and every detail of this project on GitHub but personally, I feel I should ask another member of the community so they can provide me a better guide to deal with it.

so what should I do after I cloned the project to my folder?