NK3C TOTP issues


I tried to generate with NK3C (firmware 1.5.0, pynitrokey 0.4.38) a Totp.

I do

echo '<TOTPSECRET>' | base32

I take the output and use it with

nitropy nk3 secrets add-otp --digits-str 6 --kind TOTP --hash SHA256 --touch-button --protect-with-pin <HOSTINGPROVIDER> <TOTPSECRETBASE32>

However, when I do

nitropy nk3 secrets get-otp <HOSTINGPROVIDER>

and I enter the pin then I get the TOTP code. However, it does not work with my hosting provider. All other 2FA apps work.

Did I do sth wrong? Different hash algorithm did not work.

Thank you.

best regards


  1. Did you get the secret in a binary data? You should have got it in base32 already.
  2. echo '<TOTPSECRET>' | base32 call introduces LF character (0x0a) at the end, which makes your secret invalid. You can see that with echo '<TOTPSECRET>' | xxd. You need to save it to file, or use -n switch like so:
    echo -n '<TOTPSECRET>' | base32
  3. The --hash parameter is not standard - in general it’s SHA1. Can you confirm that this is the algorithm the service use?

sorry for my late reply.

  1. yes I get it in binary data (ie letters and numbers - but it is for sure no base32 and it has not the equal signs at the end). If i directly put it in nitropy it complains also that it is not base32.
  2. I tried your suggested way (echo -n), but no success. Also different hashes etc., but no success

Is the base32 command maybe not the right one. I see for instance in base32 --help that it encodes according to RFC 4648, but Google Authenticator (and also other authentication app that I use) use base32 according to RFC 3548

I checked also with another app now and there it also works.
After base32 encoding the secret ends in some = characters, but if remove them nitropy complains. So nitropy accepts my base32 encoded one (created via echo -n), but the generated totp do not seem to be correct.

Maybe I am still doing sth. wrong at the command line?
Can I help to debug it further?

Can you try to add multiple = characters at the end of the given secret, until nitropy will stop complaining? I think this will make it work.

Sorry maybe I did not express myself well. If I use the output of base32 then nitropy does not complain at all and I can generate the 6 digit codes. However, the 6 digit codes do not work with the website I am using them for. And other applications to generate 6 digit codes work.

If I use the latest nitrokey-app2 (Releases · Nitrokey/nitrokey-app2 · GitHub) then it works for me. The command line is in this case not so relevant, but it would be good to know if this could also work as an alternative to the nitrokey-app2

1 Like

Hi! Sorry for the delay.
I believe you should get the same OTP codes with both, and the only problem with the CLI tool is registration. Can you send the name of the web service for the internal tests? (can be over private message or support@nitrokey.com, if that’s sensitive information).

As a last resort (in case you would like to continue the investigation) please check if the base32 secret letters are capitalized:

The UX for pynitrokey should be improved next month, where we have work with it scheduled:

thanks. The secret was NOT capitalized before running base32 on it.
The base32 encoded secret contained only capitalized letters.

Any idea what is different between nitrokey-app2 (which works perfectly fine with TOTP) and pynitrokey? I will also dig into the nitrokey-app2 code and see what it does with the secret before base32 coding it.

Hey! Sorry for a late response.

nitrokey-app2 has automatic correction of the secret implemented, which over time will be moved up to pynitrokey. I do not know what specifically has helped here, but I guess it got capitalized :slight_smile: