OTP Verification Fails

mphayesuk · April 10, 2021, 3:04pm

Hi all, I am having some issues in testing my tokens, its the same outcome for both totp and hotp.

ERROR is “OTP Verification Fails”

Background:
Token type HOTP - set to both 256 and 512 with the same error
Using Google Authenticator on my mobile phone
Using the test OTP only command for the token.

OS is RedHat 8.3
Using VirtualEnv
Using Python 3.6
Using PrivacyIdea 3.5.2 (I had the same errors while on 3.5.1 and upgraded to see if that fixed it, but it didnt)

Below is an extract from the error files using Debug mode, the only error that stands out to me is:
[privacyidea.api.lib.utils:254] Can not get param: Expecting value: line 1 column 1 (char 0)

The rest of the extract:
[2021-04-10 15:52:34,493][1279][139653445302016][DEBUG][privacyidea.lib.token:186] Entering check_otp with arguments (‘OATH000051D8’, ‘964784’) and keywords {}
[2021-04-10 15:52:34,493][1279][139653445302016][DEBUG][privacyidea.lib.token:186] Entering get_tokens with arguments () and keywords {‘serial’: ‘OATH000051D8’}
[2021-04-10 15:52:34,496][1279][139653445302016][DEBUG][privacyidea.lib.token:186] Entering create_tokenclass_object with arguments (<<class ‘privacyidea.models.Token’> {"’_sa_instance_state’": ‘<sqlalchemy.orm.state.InstanceState object at 0x7f037b247da0>’, “‘key_enc’”: “‘Enc Key Is The Same’”, “‘tokentype’”: “‘hotp’”, “‘count_window’”: ‘10’, “‘key_iv’”: “‘5504b8a59cd863d9dfb3a8ec4b659931’”, “‘user_pin’”: “’’”, “‘sync_window’”: ‘1000’, “‘maxfail’”: ‘10’, “‘user_pin_iv’”: “’’”, “‘rollout_state’”: “’’”, “‘id’”: ‘337’, “‘active’”: ‘True’, “‘so_pin’”: “’’”, “‘revoked’”: ‘False’, “‘so_pin_iv’”: “’’”, “‘locked’”: ‘False’, “‘pin_seed’”: “’’”, “‘failcount’”: ‘0’, “‘description’”: “’’”, “‘otplen’”: ‘6’, “‘serial’”: “‘OATH000051D8’”, “‘count’”: ‘0’, “‘pin_hash’”: “’$argon2id$v=19$m=102400,t=9,p=8$8D6nlLL23hujtDbGmHOOcQ$H2O1OD9h4OU7ZS9ldS/hVA’”}>,) and keywords {}
[2021-04-10 15:52:34,497][1279][139653445302016][DEBUG][privacyidea.lib.tokens.hotptoken:186] Entering init with arguments (<<class ‘privacyidea.lib.tokens.hotptoken.HotpTokenClass’> {}>, <<class ‘privacyidea.models.Token’> {"’_sa_instance_state’": ‘<sqlalchemy.orm.state.InstanceState object at 0x7f037b247da0>’, “‘key_enc’”: “‘Enc Key Is The Same’”, “‘tokentype’”: “‘hotp’”, “‘count_window’”: ‘10’, “‘key_iv’”: “‘5504b8a59cd863d9dfb3a8ec4b659931’”, “‘user_pin’”: “’’”, “‘sync_window’”: ‘1000’, “‘maxfail’”: ‘10’, “‘user_pin_iv’”: “’’”, “‘rollout_state’”: “’’”, “‘id’”: ‘337’, “‘active’”: ‘True’, “‘so_pin’”: “’’”, “‘revoked’”: ‘False’, “‘so_pin_iv’”: “’’”, “‘locked’”: ‘False’, “‘pin_seed’”: “’’”, “‘failcount’”: ‘0’, “‘description’”: “’’”, “‘otplen’”: ‘6’, “‘serial’”: “‘OATH000051D8’”, “‘count’”: ‘0’, “‘pin_hash’”: “’$argon2id$v=19$m=102400,t=9,p=8$8D6nlLL23hujtDbGmHOOcQ$H2O1OD9h4OU7ZS9ldS/hVA’”}>) and keywords {}
[2021-04-10 15:52:34,498][1279][139653445302016][DEBUG][privacyidea.lib.tokenclass:186] Entering init with arguments (<<class ‘privacyidea.lib.tokens.hotptoken.HotpTokenClass’> {}>, <<class ‘privacyidea.models.Token’> {"’_sa_instance_state’": ‘<sqlalchemy.orm.state.InstanceState object at 0x7f037b247da0>’, “‘key_enc’”: “‘Enc Key Is The Same’”, “‘tokentype’”: “‘hotp’”, “‘count_window’”: ‘10’, “‘key_iv’”: “‘5504b8a59cd863d9dfb3a8ec4b659931’”, “‘user_pin’”: “’’”, “‘sync_window’”: ‘1000’, “‘maxfail’”: ‘10’, “‘user_pin_iv’”: “’’”, “‘rollout_state’”: “’’”, “‘id’”: ‘337’, “‘active’”: ‘True’, “‘so_pin’”: “’’”, “‘revoked’”: ‘False’, “‘so_pin_iv’”: “’’”, “‘locked’”: ‘False’, “‘pin_seed’”: “’’”, “‘failcount’”: ‘0’, “‘description’”: “’’”, “‘otplen’”: ‘6’, “‘serial’”: “‘OATH000051D8’”, “‘count’”: ‘0’, “‘pin_hash’”: “’$argon2id$v=19$m=102400,t=9,p=8$8D6nlLL23hujtDbGmHOOcQ$H2O1OD9h4OU7ZS9ldS/hVA’”}>) and keywords {}
[2021-04-10 15:52:34,498][1279][139653445302016][DEBUG][privacyidea.lib.tokenclass:198] Exiting init with result None
[2021-04-10 15:52:34,498][1279][139653445302016][DEBUG][privacyidea.lib.tokens.hotptoken:198] Exiting init with result None
[2021-04-10 15:52:34,499][1279][139653445302016][DEBUG][privacyidea.lib.token:198] Exiting create_tokenclass_object with result <<class ‘privacyidea.lib.tokens.hotptoken.HotpTokenClass’> {"‘token’": ‘<<class ‘privacyidea.models.Token’> {"’_sa_instance_state’": ‘<sqlalchemy.orm.state.InstanceState object at 0x7f037b247da0>’, “‘key_enc’”: “‘Enc Key Is The Same’”, “‘tokentype’”: “‘hotp’”, “‘count_window’”: ‘10’, “‘key_iv’”: “‘5504b8a59cd863d9dfb3a8ec4b659931’”, “‘user_pin’”: “’’”, “‘sync_window’”: ‘1000’, “‘maxfail’”: ‘10’, “‘user_pin_iv’”: “’’”, “‘rollout_state’”: “’’”, “‘id’”: ‘337’, “‘active’”: ‘True’, “‘so_pin’”: “’’”, “‘revoked’”: ‘False’, “‘so_pin_iv’”: “’’”, “‘locked’”: ‘False’, “‘pin_seed’”: “’’”, “‘failcount’”: ‘0’, “‘description’”: “’’”, “‘otplen’”: ‘6’, “‘serial’”: “‘OATH000051D8’”, “‘count’”: ‘0’, “‘pin_hash’”: “’$argon2id$v=19$m=102400,t=9,p=8$8D6nlLL23hujtDbGmHOOcQ$H2O1OD9h4OU7ZS9ldS/hVA’”}>’, “‘type’”: “‘hotp’”, “‘init_details’”: ‘{}’, “‘auth_details’”: ‘{}’, “‘hKeyRequired’”: ‘True’}>
[2021-04-10 15:52:34,499][1279][139653445302016][DEBUG][privacyidea.lib.token:198] Exiting get_tokens with result [<<class ‘privacyidea.lib.tokens.hotptoken.HotpTokenClass’> {"‘token’": ‘<<class ‘privacyidea.models.Token’> {"’_sa_instance_state’": ‘<sqlalchemy.orm.state.InstanceState object at 0x7f037b247da0>’, “‘key_enc’”: “‘Enc Key Is The Same’”, “‘tokentype’”: “‘hotp’”, “‘count_window’”: ‘10’, “‘key_iv’”: “‘5504b8a59cd863d9dfb3a8ec4b659931’”, “‘user_pin’”: “’’”, “‘sync_window’”: ‘1000’, “‘maxfail’”: ‘10’, “‘user_pin_iv’”: “’’”, “‘rollout_state’”: “’’”, “‘id’”: ‘337’, “‘active’”: ‘True’, “‘so_pin’”: “’’”, “‘revoked’”: ‘False’, “‘so_pin_iv’”: “’’”, “‘locked’”: ‘False’, “‘pin_seed’”: “’’”, “‘failcount’”: ‘0’, “‘description’”: “’’”, “‘otplen’”: ‘6’, “‘serial’”: “‘OATH000051D8’”, “‘count’”: ‘0’, “‘pin_hash’”: “’$argon2id$v=19$m=102400,t=9,p=8$8D6nlLL23hujtDbGmHOOcQ$H2O1OD9h4OU7ZS9ldS/hVA’”}>’, “‘type’”: “‘hotp’”, “‘init_details’”: ‘{}’, “‘auth_details’”: ‘{}’, “‘hKeyRequired’”: ‘True’}>]
[2021-04-10 15:52:34,500][1279][139653445302016][DEBUG][privacyidea.lib.tokens.hotptoken:186] Entering check_otp with arguments (<<class ‘privacyidea.lib.tokens.hotptoken.HotpTokenClass’> {"‘token’": ‘<<class ‘privacyidea.models.Token’> {"’_sa_instance_state’": ‘<sqlalchemy.orm.state.InstanceState object at 0x7f037b247da0>’, “‘key_enc’”: “‘Enc Key Is The Same’”, “‘tokentype’”: “‘hotp’”, “‘count_window’”: ‘10’, “‘key_iv’”: “‘5504b8a59cd863d9dfb3a8ec4b659931’”, “‘user_pin’”: “’’”, “‘sync_window’”: ‘1000’, “‘maxfail’”: ‘10’, “‘user_pin_iv’”: “’’”, “‘rollout_state’”: “’’”, “‘id’”: ‘337’, “‘active’”: ‘True’, “‘so_pin’”: “’’”, “‘revoked’”: ‘False’, “‘so_pin_iv’”: “’’”, “‘locked’”: ‘False’, “‘pin_seed’”: “’’”, “‘failcount’”: ‘0’, “‘description’”: “’’”, “‘otplen’”: ‘6’, “‘serial’”: “‘OATH000051D8’”, “‘count’”: ‘0’, “‘pin_hash’”: “’$argon2id$v=19$m=102400,t=9,p=8$8D6nlLL23hujtDbGmHOOcQ$H2O1OD9h4OU7ZS9ldS/hVA’”}>’, “‘type’”: “‘hotp’”, “‘init_details’”: ‘{}’, “‘auth_details’”: ‘{}’, “‘hKeyRequired’”: ‘True’}>, ‘964784’) and keywords {}
[2021-04-10 15:52:34,501][1279][139653445302016][DEBUG][privacyidea.models:186] Entering get_otpkey with arguments (<<class ‘privacyidea.models.Token’> {"’_sa_instance_state’": ‘<sqlalchemy.orm.state.InstanceState object at 0x7f037b247da0>’, “‘key_enc’”: “‘Enc Key Is The Same’”, “‘tokentype’”: “‘hotp’”, “‘count_window’”: ‘10’, “‘key_iv’”: “‘5504b8a59cd863d9dfb3a8ec4b659931’”, “‘user_pin’”: “’’”, “‘sync_window’”: ‘1000’, “‘maxfail’”: ‘10’, “‘user_pin_iv’”: “’’”, “‘rollout_state’”: “’’”, “‘id’”: ‘337’, “‘active’”: ‘True’, “‘so_pin’”: “’’”, “‘revoked’”: ‘False’, “‘so_pin_iv’”: “’’”, “‘locked’”: ‘False’, “‘pin_seed’”: “’’”, “‘failcount’”: ‘0’, “‘description’”: “’’”, “‘otplen’”: ‘6’, “‘serial’”: “‘OATH000051D8’”, “‘count’”: ‘0’, “‘pin_hash’”: “’$argon2id$v=19$m=102400,t=9,p=8$8D6nlLL23hujtDbGmHOOcQ$H2O1OD9h4OU7ZS9ldS/hVA’”}>,) and keywords {}
[2021-04-10 15:52:34,501][1279][139653445302016][DEBUG][privacyidea.models:198] Exiting get_otpkey with result <privacyidea.lib.crypto.SecretObj object at 0x7f037b24fef0>
[2021-04-10 15:52:34,503][1279][139653445302016][DEBUG][privacyidea.lib.tokens.HMAC:186] Entering checkOtp with arguments (<privacyidea.lib.tokens.HMAC.HmacOtp object at 0x7f037b24fba8>, ‘964784’, 10) and keywords {}
[2021-04-10 15:52:34,503][1279][139653445302016][DEBUG][privacyidea.lib.tokens.HMAC:153] OTP range counter: 0 - 10
[2021-04-10 15:52:34,503][1279][139653445302016][DEBUG][privacyidea.lib.crypto:186] Entering decrypt with arguments (b’\x9bhWR{{\x02Y\x83K\x12\x05\x93 \xd6\xf3\xe7\xa3\x1a\xc1\xf4\xba ‘4\xb5\xb7\xdb\xd8\x91\x19\x82\xc9\xcb\xb9v\xde<\xd1\xcf"\x97\x01\xa5\x9d\x91{~{E6\x92S\xd8\xa0g\xca\x91\x83>\xe8\xe9\xc1\xe6\n\x99\x01\xfa\x87k\xb1\xbd\x86m>BEF\xf9\xb0A\x05\xd0\xdf\xc1(\x91\x11gA\xfagfNNw\xd7\xf2\xd0X*\xac\x15R<\xc8\xd5\xd8\x0fH\xdb\xbc(\x1a\\x11\xa1!\xdf1p\x0b\t\x9a\x9eGQvUx\xe2\xa7\xb2\xa2\xc4\xee\xf2\x07 \xc4\xd9\x10\x02}’, b’U\x04\xb8\xa5\x9c\xd8c\xd9\xdf\xb3\xa8\xecKe\x991’) and keywords {}
[2021-04-10 15:52:34,504][1279][139653445302016][DEBUG][privacyidea.lib.crypto:186] Entering aes_cbc_decrypt with arguments (b’\xb6@a\x9c\x8e\xd5\x07>S\xfdF\xc5S\xefe\xe9\x0b4\xbb\xdb\x18\xb54KZ\xde\xea\xb8\xbe\xe4p\xd3’, b’U\x04\xb8\xa5\x9c\xd8c\xd9\xdf\xb3\xa8\xecKe\x991’, b’\x9bhWR{{\x02Y\x83K\x12\x05\x93 \xd6\xf3\xe7\xa3\x1a\xc1\xf4\xba ‘4\xb5\xb7\xdb\xd8\x91\x19\x82\xc9\xcb\xb9v\xde<\xd1\xcf"\x97\x01\xa5\x9d\x91{~{E6\x92S\xd8\xa0g\xca\x91\x83>\xe8\xe9\xc1\xe6\n\x99\x01\xfa\x87k\xb1\xbd\x86m>BEF\xf9\xb0A\x05\xd0\xdf\xc1(\x91\x11gA\xfagfNNw\xd7\xf2\xd0X*\xac\x15R<\xc8\xd5\xd8\x0fH\xdb\xbc(\x1a\\x11\xa1!\xdf1p\x0b\t\x9a\x9eGQvUx\xe2\xa7\xb2\xa2\xc4\xee\xf2\x07 \xc4\xd9\x10\x02}’) and keywords {}
[2021-04-10 15:52:34,504][1279][139653445302016][DEBUG][privacyidea.lib.crypto:200] Exiting aes_cbc_decrypt with result HIDDEN
[2021-04-10 15:52:34,504][1279][139653445302016][DEBUG][privacyidea.lib.crypto:200] Exiting decrypt with result HIDDEN
[2021-04-10 15:52:34,505][1279][139653445302016][DEBUG][privacyidea.lib.tokens.HMAC:198] Exiting checkOtp with result -1
[2021-04-10 15:52:34,505][1279][139653445302016][DEBUG][privacyidea.lib.tokens.hotptoken:186] Entering _autosync with arguments (<<class ‘privacyidea.lib.tokens.hotptoken.HotpTokenClass’> {"‘token’": ‘<<class ‘privacyidea.models.Token’> {"’_sa_instance_state’": ‘<sqlalchemy.orm.state.InstanceState object at 0x7f037b247da0>’, “‘key_enc’”: “‘Enc Key Is The Same’”, “‘tokentype’”: “‘hotp’”, “‘count_window’”: ‘10’, “‘key_iv’”: “‘5504b8a59cd863d9dfb3a8ec4b659931’”, “‘user_pin’”: “’’”, “‘sync_window’”: ‘1000’, “‘maxfail’”: ‘10’, “‘user_pin_iv’”: “’’”, “‘rollout_state’”: “’’”, “‘id’”: ‘337’, “‘active’”: ‘True’, “‘so_pin’”: “’’”, “‘revoked’”: ‘False’, “‘so_pin_iv’”: “’’”, “‘locked’”: ‘False’, “‘pin_seed’”: “’’”, “‘failcount’”: ‘0’, “‘description’”: “’’”, “‘otplen’”: ‘6’, “‘serial’”: “‘OATH000051D8’”, “‘count’”: ‘0’, “‘pin_hash’”: “’$argon2id$v=19$m=102400,t=9,p=8$8D6nlLL23hujtDbGmHOOcQ$H2O1OD9h4OU7ZS9ldS/hVA’”, “‘info_list’”: ‘[<TokenInfo 1058>, <TokenInfo 1051>]’}>’, “‘type’”: “‘hotp’”, “‘init_details’”: ‘{}’, “‘auth_details’”: ‘{}’, “‘hKeyRequired’”: ‘True’}>, <privacyidea.lib.tokens.HMAC.HmacOtp object at 0x7f037b24fba8>, ‘964784’) and keywords {}
[2021-04-10 15:52:34,506][1279][139653445302016][DEBUG][privacyidea.lib.config:186] Entering get_from_config with arguments (‘AutoResync’, False) and keywords {‘return_bool’: True}
[2021-04-10 15:52:34,506][1279][139653445302016][DEBUG][privacyidea.lib.config:198] Exiting get_from_config with result True
[2021-04-10 15:52:34,506][1279][139653445302016][DEBUG][privacyidea.lib.tokens.HMAC:186] Entering checkOtp with arguments (<privacyidea.lib.tokens.HMAC.HmacOtp object at 0x7f037b24fba8>, ‘964784’, 1000) and keywords {}
[2021-04-10 15:52:34,506][1279][139653445302016][DEBUG][privacyidea.lib.tokens.HMAC:153] OTP range counter: 10 - 1010
[2021-04-10 15:52:34,523][1279][139653445302016][DEBUG][privacyidea.lib.tokens.HMAC:198] Exiting checkOtp with result -1
[2021-04-10 15:52:34,524][1279][139653445302016][DEBUG][privacyidea.lib.tokens.hotptoken:198] Exiting _autosync with result -1
[2021-04-10 15:52:34,524][1279][139653445302016][DEBUG][privacyidea.lib.tokens.hotptoken:198] Exiting check_otp with result -1
[2021-04-10 15:52:34,524][1279][139653445302016][DEBUG][privacyidea.lib.token:198] Exiting check_otp with result (False, {‘message’: ‘OTP verification failed.’})
[2021-04-10 15:52:34,524][1279][139653445302016][DEBUG][privacyidea.lib.auditmodules.base:186] Entering log with arguments (<privacyidea.lib.auditmodules.sqlaudit.Audit object at 0x7f037b2d8630>, {‘info’: ‘OTP verification failed.’, ‘success’: False, ‘serial’: ‘OATH000051D8’, ‘token_type’: None}) and keywords {}
[2021-04-10 15:52:34,524][1279][139653445302016][DEBUG][privacyidea.lib.auditmodules.base:198] Exiting log with result None

mphayesuk · April 10, 2021, 3:41pm

Ok, just to add a little more information.

It looks like its the Smartphone app that is causing the problem.

Google authenticator doesnt work unless the token is set to sha1 (not very strong).

I am going to see what else will or will not work with what settings.

And I know that the PrivacyIDEA app from the play store works with no issues, its a great little app and I think I will have to insist that this app is used.

Thanks
Martin

cornelinux · April 11, 2021, 10:17am

Not all Apps are the same. Test the apps you want to use. The worst (ok, the one with the most restrictions) is the Microsoft Authenticator.

See The problem with the Google Authenticator

For German speaking people: 001 Spielarten der Mehr-Faktor-Authentifizierung - LOGIN Success - Podcast

mphayesuk · April 16, 2021, 1:51pm

Sorry for the late reply. Thanks for your comments, we will run some tests and see which works best, but I think its the privacyidea app

Thanks