iOS 9 Time bug breaking two factor authentication
7 points| jpp123 | 10 years ago
Our devops team are seeing users who can no longer authenticate using 2FA code generators because their phones are off by over 30 seconds. The offset seems fairly random - a quick poll in our office shows that it appears to only impact iOS9. Mine is off 3.7 seconds. The biggest offset I've seen is 41 seconds.
Reboots, setting manually and the n going back to auto etc don't fid it.
You can check your offset at http://time.is or by downloading the free Emerald Time ntp app.
Any suggestions for a workaround greatly appriciated.
Someone1234|10 years ago
I've seen this before with people who try to roll their own Google Authenticator/TOTP implementation.
What they do is they read the standard, note the 30 second default step size, and entirely ignore the window. If you look at Google Authenticator while the steps are 30 seconds, the window is +1 or -1, so you can enter three different valid codes at any one time (for three different steps: 0, +30, -30).
But don't take my word for it, Google has Authenicator source code available here:
https://github.com/google/google-authenticator/blob/master/l...
Look at "window" or "window_size" options. To quote Google's own comment:
> By default, tokens are good for 30 seconds and in order to compensate for possible time-skew between the client and the server, we allow an extra token before and after the current time. If you experience problems with poor time synchronization, you can increase the window from its default size of 1:30min to about 4min. Do you want to do so
So as I said, your 2FA is incorrectly done.
jpp123|10 years ago
joezydeco|10 years ago
jgeorge|10 years ago
jpp123|10 years ago
joezydeco|10 years ago
Apple support seems to think this is my inability to turn on the "automatic time setting" feature. I wish this problem had more visibility.
jpp123|10 years ago
joezydeco|10 years ago