during tests I realized that HOTP with nitrokey and nitrokey-app does not work. Tracking down the issue I realized that nitrokey-app produces wrong HOTPs. This can easily be reproduced and verified.
From RFC 4226 tools.ietf.org/html/rfc4226 use the Secret = “3132333435363738393031323334353637383930”. Program Nitrokey using nitrokey-app as follows:
same here, both under Windows and Ubuntu 14.04LTS , result is the same wrong numbers. I also had to disconnect the card several times and insert it again to make the reset app work under Windows 10 (CryptoStickReset), btw same on Linux with gpg-connect-agent. The configuration app even returned a success for deleting a HTOP entry, but after reconnecting the entry was still there. Seems to me there is something fundamentally broken in App Version 0.2 Firmware 0.7 , I will claim my money back, starting with the installation and poor documentation, this stick is not yet ready and stable enough to get sold as a security device. It is a pitty it did sound like a real alernative to Yubikey.
I encountered the same problems with nitrokey-app (need to reconnect / reload, broken slot programming …). It sure is a pity, but having tested multiple different usb tokens - including yubikey - we realized that practically all of them do have problems, and none of them work reliably, especially in homogeneous environments or when trying to use them for multiple purposes. I think that the whole system is fundamentally broken.
But what troubles and annoys me most is the fact, that these problems seem to be completely ignored by developers and manufacturers alike, although they advertise their products as universal solutions for all problems, when in reality they can be used for a small subset of promised features, if at all.
For example, a broken HOTP implementation is a serious matter and should be dealt with quickly. Yet there is no reaction by nitrokey anywhere. No activity on Github, no comment on the forums. Nothing. It has been weeks since I first reported the issue. But again, same thing with other manufacturers. At least nitrokey is open source and open hardware, so anybody could try to fix these issues. Curiously, nobody does. Yet we are in need of working and reliable solutions. It’s sad.
A quick update on the matter. Programming nitrokey with the secret in Base32 encoding does provide the correct HOTPs. So it appears to be a string conversion issue or sth similar.
Well, it seems my previous post was premature. Although I got it working with the Base32 presentation of above key, I immediately ran into issues when using another key. Trying to program the following key in both hex and b32:
No matter what I try, HOTPs are always wrong. Whatever I did earlier to get the correct values, I can’t reproduce it for the new key. So it’s not just a string parsing issue. Programming of HOTPs is totally broken.
So again. Please, show some dedication to your product and react somehow.
Thanks for your analysis. We assume the error is in the Nitrokey App which is quite messy code. Since January our focus has been on rewriting the Nitrokey App from scratch, starting with a clean library-layer. This would be the most efficient approach to fix this and other errors but it will take a few more months. In the meanwhile we will try to fix it at the current Nitrokey App. Please give us some more time and I will inform you here.
Hi,
did anybody successfully login to Keepass2 with HOTP and could post his settings/procedure here please?
Or is the Nitrokey-App still the problem?
I also didn’t figure out, how the “Hotkeys” Capslock/Numlock etc insert the keys …
Could you make a new topic with this issue? It will be easier to organize.
As for Nitrokey App - HOTP issue was fixed some time ago and it surely works in latest release.
Regarding hotkeys - you have to choose OTP slot in the configuration. Then after double pressing chosen capslock/numlock/scrolllock the OTP code should be inserted by the key. App running is not needed while using hotkey.
I got locked out of my newly created database! Can they use keepassSX instead? Keepass2 is no good in my opinion. I might have set it up wrongly, i can try again… If i’m the only one with issues now…
edit: The issue might have been on MY SIDE and not the nitrokey or the code. I’m gonna try setting it up again… I made some error. Probably hex, the wrong key or time. I will try again now and let you know later on. I need to play around some and learn this.
I’m no power computer user… Or expert