I tried to generate with NK3C (firmware 1.5.0, pynitrokey 0.4.38) a Totp.
echo '<TOTPSECRET>' | base32
I take the output and use it with
nitropy nk3 secrets add-otp --digits-str 6 --kind TOTP --hash SHA256 --touch-button --protect-with-pin <HOSTINGPROVIDER> <TOTPSECRETBASE32>
However, when I do
nitropy nk3 secrets get-otp <HOSTINGPROVIDER>
and I enter the pin then I get the TOTP code. However, it does not work with my hosting provider. All other 2FA apps work.
Did I do sth wrong? Different hash algorithm did not work.
sorry for my late reply.
- yes I get it in binary data (ie letters and numbers - but it is for sure no base32 and it has not the equal signs at the end). If i directly put it in nitropy it complains also that it is not base32.
- I tried your suggested way (echo -n), but no success. Also different hashes etc., but no success
Is the base32 command maybe not the right one. I see for instance in base32 --help that it encodes according to RFC 4648, but Google Authenticator (and also other authentication app that I use) use base32 according to RFC 3548
I checked also with another app now and there it also works.
After base32 encoding the secret ends in some = characters, but if remove them nitropy complains. So nitropy accepts my base32 encoded one (created via echo -n), but the generated totp do not seem to be correct.
Maybe I am still doing sth. wrong at the command line?
Can I help to debug it further?
Can you try to add multiple
= characters at the end of the given secret, until nitropy will stop complaining? I think this will make it work.
Sorry maybe I did not express myself well. If I use the output of base32 then nitropy does not complain at all and I can generate the 6 digit codes. However, the 6 digit codes do not work with the website I am using them for. And other applications to generate 6 digit codes work.
If I use the latest nitrokey-app2 (Releases · Nitrokey/nitrokey-app2 · GitHub) then it works for me. The command line is in this case not so relevant, but it would be good to know if this could also work as an alternative to the nitrokey-app2
Hi! Sorry for the delay.
I believe you should get the same OTP codes with both, and the only problem with the CLI tool is registration. Can you send the name of the web service for the internal tests? (can be over private message or firstname.lastname@example.org, if that’s sensitive information).
As a last resort (in case you would like to continue the investigation) please check if the base32 secret letters are capitalized:
The UX for pynitrokey should be improved next month, where we have work with it scheduled:
thanks. The secret was NOT capitalized before running base32 on it.
The base32 encoded secret contained only capitalized letters.
Any idea what is different between nitrokey-app2 (which works perfectly fine with TOTP) and pynitrokey? I will also dig into the nitrokey-app2 code and see what it does with the secret before base32 coding it.
Hey! Sorry for a late response.
nitrokey-app2 has automatic correction of the secret implemented, which over time will be moved up to
pynitrokey. I do not know what specifically has helped here, but I guess it got capitalized