daviftorres commented on issue #11776: URL: https://github.com/apache/cloudstack/issues/11776#issuecomment-3362698898
So, for comparison I searched and found 30 QRCodes from the Internet that were in tutorials about setting up TOTP with Authenticator apps in general. Here is what I saw: 30 out of 30 started with the appropriated `otpauth://totp/` followed by a string, 30 out of 30 had the `secret=` attribute (no kidding), 27 out of 30 had the `issuer=` with a string, 9 out of 30 had the `digits=` (all with the most popular value of 6), 9 out of 30 had the `period=` (all with the most popular value of 30), 8 out of 30 had the `algorithm=` for the hash (seven with the default SHA1 and one with SHA256), 1 out of 30 had the `endpointUrl=` that I am not really sure if is standard or a feature of a password manager, for example. The point I am trying to make here is: - Maybe DUO's default are not what ACS expects, - ACS could have the parameters `&algorithm=SHA1&digits=6&period=30` to the QRCode generator, Moreover, I also set many Authenticator (online and mobile apps) with the same Seed (Secret) at the same time. They often display shifted rolling pin. That explains why some SSO solutions give a grace period in case you submit the pin a few seconds after it has changed (reducing the race to type). Eventually, they all show the same pin for a short time or commonly one (or more) is lagging behind all the others :-/ <img width="1251" height="958" alt="Image" src="https://github.com/user-attachments/assets/79f90fe9-4189-48e0-9d87-c8f57289f12d"; /> My DUO and Google Authenticator apps were alternating between the Orange and the Red from the illustration above. Online TOTP Authenticators used (only for tests with fake/revoked seed). https://totp.danhersam.com/ https://www.authgear.com/tools/totp-authenticator https://auth.web.id/ https://2fasolution.com/totp.html Can we also have a grace period that does not downgrade the security of the 2FA? Example: - In the first 15 seconds it would still accept the previous code, - In the last 15 seconds it would also accept the code that will come after. How does that sound? -- This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. To unsubscribe, e-mail: [email protected] For queries about this service, please contact Infrastructure at: [email protected]
