OTP on Gitlab - Nitrokey Pro 2

Popi · November 20, 2020, 10:28pm

Hello,

I am trying to set up 2FA with OTP on Gitlab with a Nitrokey Pro 2, and while it works fine from a barcode scanner, pasting the secret in the Nitrokey OTP emplacement gives me 6 characters digits which don’t validate on Gitlab.

I noticed that OTP on Nitrokey does not handle the account part provided by Gitlab. Could that explain the bad generated PINs?

Is Nitrokey OTP not compatible with Gitlab yet?

szszszsz · January 9, 2021, 7:40pm

Hello,

I am sorry for the delay.
Unfortunately I cannot pinpoint details from the Gitlab’s documentation regarding this feature implementation. Nitrokey Pro 2 handles TOTP codes according to the standard, with length as long as 320 bits, checked against test vectors.

To properly calculate the TOTP code, the time has to be set correctly on the PC hosting the Nitrokey, with a couple of seconds of tolerance. Could you check the time set?
How much digits are you receiving from another application? In case it is 8, you need to set the same digits count during the OTP setup in the Nitrokey App.
Perhaps some error occurred during the secret pasting into the Nitrokey App? If the secret contained spaces, it might be needed to remove them. Secret format is either Base32 or hexadecimal.
The TOTP window might be 30 or 60. It might be needed to change that to the latter value (as far as I remember the former is the default). This might be shown in the set up string.

Popi · January 9, 2021, 7:40pm

Now that you mention, I did notice a time shift on that computer later
that day. I will try again after fixing the NTP, I guess that must be it.

Thank you for your response!

Popi · January 9, 2021, 7:41pm

It was indeed NTP the issue, the computer was not synchronized, thus the OTP code failing.

Tested OK once I fixed the NTP, thanks again.