DrDamnit

This is a good point. But, this isn’t everyone with a google account. It’s a specific account that we have shared with one individual; and as his boss, I keep copies of the codes. So, it’s one person and his superior having access to the account in question.

Additionally, having looked up the actual hash that they use, it’s an HMAC that measures the number of 30 second intervals since the Unix Epoch. So, it has to be a time issue, probably with his phone. This also confirms what I thought: they should be using UTC.

The time must be off on their phone…

I’ll give it a try.

But… I disagree:

Here’s why:

1. When the other user logs in and generates his own code, that’s not going to be any different than if I generated the code and gave him the QR code via screenshot as I have done before. Sure, the secret will be different, but the process is the same, and the server doesn’t know the difference since this is an out-of-band authentication factor. The key here is the secret that is generated.

2. Google Authenticator uses an a one-way hash to turn something (like a time-stamp) into the six digit code. Since the secret is the same, the only other thing we can look at is the time-based initialization vector or the input to the hashing algo.

These guys have their own admin account (different from mine, and our client has the main admin account).

Their account has GA enabled, and they have been given the username and password.

The username is a normal username (i.e., “StaffAdmin”). And, the password for the account is random (like: “E7bOsyyN1JpW”). What they are doesn’t really matter, because I know they get hashed and stored in the DB. But, just trying to give you a full picture here.

As I said before, the GA Secret was verified on their side as the same one I am using. And, they were sent (securely) the QR code that contains the secret and GA setup.

Via Chat, we discovered that Google Authenticator on their side was, in fact, generating different codes than the same code on my side. Here’s who we discovered that:

Each time the code was generated anew, I put it into our secure chat to send it to them. He compared it on his side, and they were different.

If he used a code that I sent him, he was able to log in, so that confirms he’s using the correct user pass. The fact that his GA app was generating different codes can (in my opinion) only be attributed to the time on his phone being different than mine. Which, is what prompted me to post this thread.

We really need to get this working because the site we are working with is the subject of frequent brute force attacks. The server has fail2ban setup, and we’ve been running WordFence, but really want this extra layer of security.

I just can’t figure out why the same code on two different phones would generate different codes – except if there was a time issue….

I eventually figured it out.

I was putting the email in there in RFC standard format: [email protected] <Doctor Damnit>.

Eventually, I went and read the source code.

Mail2 expects ONLY the email address. Don’t use RFC format. Just put [email protected] in the mail2 field.

That’s what worked for me, anyway.

I have the same issue. I am watching the queue on our mail server. The first message enters the queue, is sent to the smarthost, and delivered. The Mail(2) message is never even sent to the queue.

What’s the fix? Anyone?