OTP and mailbox.org

solucion · November 5, 2018, 8:27am

Trying to set up OTP as TOTP token in Mailbox.org, web interface.
To tell the truth I am very frustrated. It seems, since all howto’s are different and, to be honest quite unclear, and nearly all use smartphones (which I do not possess), that this kind of authentication is not really promoted.
In Mailbox.org you get the following

As you see, it gives you the possibility to generate the token.
If you do you get: (e.g. 8bit, sha512, 60sec)

which should give me what I need by clicking on the link? Or by using seed? No idea, no understanding at all!
So if you take the seed and put it in the app where there is written secret key, that gives: too long for this device. Either this is too long (what is short enough then?) or it is wrong to do so. No understanding. No explanation on the web that i have found.
Now if you instead click on the link, in firefox you get a generic oops cannot execute.
In opera you get a better error:

Then when clicking ok you get:
Impossible to find an application or a manager for … (the link).

So, no idea, no understanding. Do I miss an application, is this because of Opera, should I or shouldn’t I use the link???

I am totally lost, I find the procedure tedious, I find the information you can find on the web not intuitive, incomplete, confusing.
Is there anybody who managed this and knows how to do this on a Linux system?
Using opensuse Leap 15

Thanks in advance.

szszszsz · November 5, 2018, 10:44am

Hi!

Just briefly looking, the secret string might be in the link (after
‘secret=’), encoded as base32. Perhaps the seed is a hexadecimal
representation (just guess).
Usually applications are showing the secret to allow easy copying to
other OTP authenticators.

I am not sure SHA512 will be handled - is it possible to use SHA256?

jan · November 5, 2018, 11:02am

Aren’t these resources helpful?

https://www.privacy-handbuch.de/handbuch_21j5b.htm

https://userforum.mailbox.org/knowledge-base/article/zwei-faktor-authentifizierung

solucion · November 5, 2018, 12:26pm

No, both do not work. In particular: if I follow the indications given by the “handbook”:
Die anderen Parameter sind an die Einstellungen in der Nitrokey App anzupassen.
But how the Parameter should be adapted, applied, is not written. Whatever I try my key generates a 80 cipher seed while mailboxorg is wanting a 64 cipher seed to the max.
So, currently the first reference helps. The second reference is interesting because:
did not come out while ducking (duckduckgo), was not referenced while going via the mailboxorg main site searching for OTP and mailboxorg. So once you read it it does give you only very limited info (as for not being able to change the mail address etc.) but by itself I find the second reference confusing, not helpful.
Any Idea what I have to adapt to get 64 numbers in hex?

solucion · November 5, 2018, 12:30pm

It is apparently hexadecimal but only accepts 64 ciphers. While the key (at least mine as it is apparently set up generates 80 ciphers.
Suggestions welcome.
I am so puzzled guys, it should be straightforward and gets such a mess. If I propose that to 90% of people I know (which are as all users I know intellectually challenged when they have to do one step more then inserting an usb key) they would jump straight out of the window…

szszszsz · November 5, 2018, 1:19pm

Nitrokey App adjust the ciphers limit to the one supported by your
device. It should be more verbose about that though to avoid such confusion.

At the moment 80 digits / 320 bits are supported only on Nitrokey Pro
v0.8+. We are working to add such support to Nitrokey Storage.

solucion · November 5, 2018, 1:36pm

O.K. This by itself would not be a problem, but becomes such as mailbox org wants 64.
So what should I do? The other way round, generate the key in mailboxorg and import it?
Which raises then the question “how” to do that.
In French “on est pas encore dehors l’auberge…”
But we are doing progress.
I have the Nitrokey Pro v. 0.8

jan · November 5, 2018, 1:52pm

A developer of mailbox.org suggested to generate the secret in Nitrokey App, select hexadecimal (!) and export it to mailbox.org. However I didn’t test it myself.

solucion · November 5, 2018, 2:04pm

in hexadecimal (as mentioned above) the Nitrokey Pro adapts to its capacities that are, helas, higher than the ones of the interface of mailboxorg.
So here is the issue: you generate it, but it has 80 digits. You need a key with max 64 digits.
Is there a way? Would this be a good call for an enhancement of the nitrokey app, to limit the digits to a wanted size (granted that you may warn/indicate that the nitrokey pro would be able to give you more - and we all know that more is better lol)?
Then one would not even run into the issue.

rugk · November 8, 2018, 10:31pm

Also it’s quite important to remember that your initial secret showed off in your screenshot above is now compromised! After all, you’ve posted it in a public forum… So I just hope you did/do not use it and/or Mailbox.org generates a new one.

solucion · November 9, 2018, 7:59am

Yes the secret shown is not used (as it is an example but besides of this absolutely pertinent remark, it is currently not possible to use OTP not even importing a key done with mailboxorg, where by the way I posted the problem…and was not the only one). It is an old problem that you leak information when it comes to mail, keys and pam on forums. But when I post such a thing as of above, it is always only a “proof of concept”. However, you do a good thing to point it out.
I will see if I can give you some “love” via kudos, or kindly ask the forums owner to point you a nice “medal”. No pun intended, the amount of people that “just do not bother” is much too high, on the internet and in real live. It is really positive that you are different.
Thank you for your awareness and for caring.

solucion · November 9, 2018, 10:36am

So I retried in mailboxorg
OTP settings:
create the OTP in mailboxorg (not to have the 80digits problem). Then, take the 8,256,30sec seed and copy it into nitrokey app (TOTP in generation and in the key to be clear). Set 8 and 30 seconds, hexadecimal). Save it.
Confirm it in mailbox org activate the key and set the PIN. Control for primary email address OK. So all set to OTP and logout.
Log in with a different browser (but tried also with ff). Normal login does not work any more in webinterface. Good. Now: take the primary email address, password PINANDTOKEN without any space in between (nitrokey delivers the token as requested).
And that DOES NOT work.
So something is also wrong with how the nitrokey generates the key? I am having yet no feedback from mailboxorg itself. But since they are busy changing software, maybe afterwards it will be working? Doubt it a bit.
I have currently the feeling this is a more of a kind of vendor lock-in.

solucion · November 9, 2018, 6:36pm

If you select hexadecimal and you create the token in the nitrokey pro, the number is too long (80). But if you then change to base32 it would be the desired length for the web interface. However it will not accept now because it wants the value in hexadecimal with 64 digits.
Is there a way to tell the app to create the numbers with 64 hexadecimal digits in nitrokey?
When I do create with 8, 256 and 30 seconds the key in mailbox org it is 64 digits. I can import the seed to the nitrokey and adapt 8 and 30 and then save it. The key does not complain and gives me a random number. When I try the procedure they say: the main email address and as password the PIN and without space directly the 2F then it does not work and the password is not recognized.
If you see anything in this description that is wrong or reads wrong…let me know.

nitroalex · November 12, 2018, 9:57am

Hey,

I tried myself. You can indeed use the secrect saved in the link for the Nitrokey App. Unfortunately, I do not understand, how to enable the OTP as 2FA and they do not prove the correct setup by demanding a test password and therefore I can not confirm if it is working correctly.

But as they explicitly mention the Nitrokey I suggest to ask them for support. I honestly don’t understand their interface…

Kind regards
Alex

szszszsz · November 13, 2018, 12:28pm

Hi!

None currently, but I hope to add it in the next version. If you have any other improvements proposition, please register them on nitrokey-app/issues.

A simple workaround is to edit the just generated secret and cut the hex digits over 64-th position.

@nitroalex Could you gather the proposed improvements here and register the ticket for Nitrokey App?

solucion · November 17, 2018, 2:41pm

This does effectively work.
In order to use the nitrokey in mailboxorg you have to:
a) log into the webinterface, go to settings
b) use otp as menu point
c) input the PIN, select “yubi or different generators”
d) select: webinterface all other password
e) you generate now the key in the nitrokey pro, hexadecimal, 8 bit 30 sec (gives 80 digits).
f) you cancel by hand everything behind the 64th digit.
g) you copy via the app button the seed as hexadecimal to the pastebin
h) you paste the seed into the webinterface point of mailboxorg (having selected totp
i) you click O.K, now you safe in the app and you empty the pastebin of the seed!
j) you activate the token with the button activate the token selecting the token you did paste.
k) you finish your action with: activate OTP (send request).
L) you log out. To log in you have to:
put in you main mail address. Put in the PIN followed without space the number totp generated by that nitrokey. Return, you are in.

Verified! This was the only method that really worked with me.
Thank you so much to all who helped.