PrivacyIdea App does not work with Office365

christophm · February 20, 2020, 6:00pm

Hello,

I wanted to use the PrivadyIdea App to add a second factor for my Office365 account.
https://portal.office.com/account/#security

It’s possible to add the account (click on “Configure app without notifications”) but verification fails afterwards.

I would not mind if it would fail with other auth apps as well but it works with “Google Authenticator” as well as “FreeOTP”.

msauth

Any idea?

Thank you,
Christoph

cornelinux · February 20, 2020, 6:21pm

I know that the microsoft authenticator sucks and simply defaults to TOTP.
My suspicion is, that Microsoft also sucks in generating a compliant QR code.
I know that freeotp also defaults to TOTP.
So my claim would be that Office305 simply creates a faulty QR code, which the privacyIDEA authenticator interprets correctly and the other authenticators interpred positive faulsly.
If you are willing to share the qr code, then we can verify my claim.

You should change the topic to Office365 generates non-standard qrcodes

christophm · February 20, 2020, 6:56pm

OK, I’ve sent you a direct message with a real QR code.

Thx,
Christoph

henry · February 20, 2020, 9:24pm

The OTP apps are definitely not all created equal…
Especially if you don’t want TOTP (that requires accurate time).
Below is a QR code for a HOTP token that I just created on PI 3.2.2 Screen Shot 2020-02-20 at 3.16.50 PM
It is recognized as TOTP by FreeOTP and generates faulty numbers.
Goggle Auth and PI app show the same and pass test on the PI server.
Unlike TOTP, with HOTP there is more than one “right” number (press next or reload in the app)

Another layer of discrepancy can be noted when using 8-characters tokens.
Also, FreeOTP on Android and iOS are not always the same…

Go figure…

cornelinux · February 22, 2020, 6:20am

Currently we are working on a rewrite of the app based on a framework that allows for easier customization. Interestingly enough, this does produce the same OTP values like FreeOTP.
So it looks like it very much depends on the used hash primitives, how they handle too short keys.

henry · February 24, 2020, 3:20pm

Just for clarification, Microsoft Authenticator does not support anything but TOTP by design
https://support.microsoft.com/en-ca/help/4026727/microsoft-account-how-to-use-the-microsoft-authenticator-app

Again, nothing wrong with them, RSA SecurID tokens do only time-based OTP for years (their own proprietary, not TOTP standard). It just requires synchronized time on the server and mobile.
And that might be not be a given if you sandbox everything including the PI server…