PrivacyIdea App does not work with Office365


I wanted to use the PrivadyIdea App to add a second factor for my Office365 account.

It’s possible to add the account (click on “Configure app without notifications”) but verification fails afterwards.

I would not mind if it would fail with other auth apps as well but it works with “Google Authenticator” as well as “FreeOTP”.


Any idea?

Thank you,

I know that the microsoft authenticator sucks and simply defaults to TOTP.
My suspicion is, that Microsoft also sucks in generating a compliant QR code.
I know that freeotp also defaults to TOTP.
So my claim would be that Office305 simply creates a faulty QR code, which the privacyIDEA authenticator interprets correctly and the other authenticators interpred positive faulsly.
If you are willing to share the qr code, then we can verify my claim.

You should change the topic to Office365 generates non-standard qrcodes :frowning:

OK, I’ve sent you a direct message with a real QR code.


The OTP apps are definitely not all created equal…
Especially if you don’t want TOTP (that requires accurate time).
Below is a QR code for a HOTP token that I just created on PI 3.2.2Screen Shot 2020-02-20 at 3.16.50 PM
It is recognized as TOTP by FreeOTP and generates faulty numbers.
Goggle Auth and PI app show the same and pass test on the PI server.
Unlike TOTP, with HOTP there is more than one “right” number (press next or reload in the app)

Another layer of discrepancy can be noted when using 8-characters tokens.
Also, FreeOTP on Android and iOS are not always the same…

Go figure…

Currently we are working on a rewrite of the app based on a framework that allows for easier customization. Interestingly enough, this does produce the same OTP values like FreeOTP.
So it looks like it very much depends on the used hash primitives, how they handle too short keys.

Just for clarification, Microsoft Authenticator does not support anything but TOTP by design

Again, nothing wrong with them, RSA SecurID tokens do only time-based OTP for years (their own proprietary, not TOTP standard). It just requires synchronized time on the server and mobile.
And that might be not be a given if you sandbox everything including the PI server…