Did you get the secret in a binary data? You should have got it in base32 already.
echo '<TOTPSECRET>' | base32 call introduces LF character (0x0a) at the end, which makes your secret invalid. You can see that with echo '<TOTPSECRET>' | xxd. You need to save it to file, or use -n switch like so:
echo -n '<TOTPSECRET>' | base32
The --hash parameter is not standard - in general it’s SHA1. Can you confirm that this is the algorithm the service use?
yes I get it in binary data (ie letters and numbers - but it is for sure no base32 and it has not the equal signs at the end). If i directly put it in nitropy it complains also that it is not base32.
I tried your suggested way (echo -n), but no success. Also different hashes etc., but no success
Is the base32 command maybe not the right one. I see for instance in base32 --help that it encodes according to RFC 4648, but Google Authenticator (and also other authentication app that I use) use base32 according to RFC 3548
I checked also with another app now and there it also works.
After base32 encoding the secret ends in some = characters, but if remove them nitropy complains. So nitropy accepts my base32 encoded one (created via echo -n), but the generated totp do not seem to be correct.
Maybe I am still doing sth. wrong at the command line?
Can I help to debug it further?
Sorry maybe I did not express myself well. If I use the output of base32 then nitropy does not complain at all and I can generate the 6 digit codes. However, the 6 digit codes do not work with the website I am using them for. And other applications to generate 6 digit codes work.
If I use the latest nitrokey-app2 (Releases · Nitrokey/nitrokey-app2 · GitHub) then it works for me. The command line is in this case not so relevant, but it would be good to know if this could also work as an alternative to the nitrokey-app2
Hi! Sorry for the delay.
I believe you should get the same OTP codes with both, and the only problem with the CLI tool is registration. Can you send the name of the web service for the internal tests? (can be over private message or support@nitrokey.com, if that’s sensitive information).
thanks. The secret was NOT capitalized before running base32 on it.
The base32 encoded secret contained only capitalized letters.
Any idea what is different between nitrokey-app2 (which works perfectly fine with TOTP) and pynitrokey? I will also dig into the nitrokey-app2 code and see what it does with the secret before base32 coding it.
nitrokey-app2 has automatic correction of the secret implemented, which over time will be moved up to pynitrokey. I do not know what specifically has helped here, but I guess it got capitalized