QR Code Android VS IOS on Admin VS Users

cnopix · September 4, 2020, 12:57pm

Hi Everyone,

i work with privacyidea and it’s a great tools

i have an issue :

When i create a token with admin right, and i scan the QR code with android phone or IOS phone i have the same OTP code.

But, when i create a token with user right and i scan the QR code with android phone and IOS Phone i don’t have the same OTP and only the IOS OTP works.

i test iphone X, iphone XI, google pixel and huawei P SMART Z

on each phone i use google authenticator.

it’s very strange.

Can you help me ?

Cnopix.

cornelinux · September 4, 2020, 4:55pm

You probably have different policies for your admins and your users.
I guess admins and users are using different settings, probably different hash algorithms.

Google Authenticator sucks. You should only use google authenticator with SHA1.

Last time I check I think Google Authenticator on Android supported sha256 and on iphone it did not. Or the other way round.

You might consider using the privacyIDEA Authenticator, which supports sha1, sha256 and sha512 on android and iphone.

Or: Check your policies!

cnopix · September 4, 2020, 7:13pm

thanks for you help cornelinux.

if i scan QR code on user interface with android and iphone it works only for iphone.
if i scan from admin interface, it works for both.

i need google authenticator because a lot of user use it for other 2FA.

Br,

cnopix · September 7, 2020, 12:08pm

i check my policy but i don’t see a difference for android or IOS.

Br,

laclaro · September 8, 2020, 7:08am

Hi Br,

you also have token settings not in policies but in the Config->Token. Check these as well! Make sure that everywhere is set SHA1.

Best,

Henning

cnopix · September 8, 2020, 8:21am

i check and SHA1 is selected.

Cnopix

cornelinux · September 8, 2020, 4:08pm

As I already explained: You have different policies for admins and for users and you are creating different QR codes with different hash algorithms as admin or user.
So you configured your system in a way, that results in this behaviour. This is possible. Nothing wrong.
We can not know, what you have configured.
You need to take a closed look at

what your policies are,
what you select in the rollout dialog
what the QR code looks like.

Suggestion: Scan the QR codes with a qrcode scanner, that simply reads the code, and you will most probably see that you have different entries for the hash algo in the codes.

cnopix · September 9, 2020, 7:56am

i scan with a QR code scanner and i have the same URL on android and IOS but, the OPT is not the same :s

so i think it’s not a policy or user problem.

Cnopix

cornelinux · September 9, 2020, 9:16am

We are doing circles here:

You said you have different results if
a) the admin creates a token or
b) the user creates a token.

cnopix · September 9, 2020, 11:06am

yes that correct.

from admin, if i scan the QR code with a QR code scanner i have the same URL and the same OPT on android and IOS.

from User, if i scan the QR code with a QR code Scanner i have the same URL but not the same OPT on androit and IOS and only IOS Works.

Cnopix

cornelinux · September 9, 2020, 5:39pm

You see. And now you have to go back to the start and read my first comment.

cnopix · October 19, 2020, 12:34pm

After research today because an android phone come to my office i find that if i set the time for OPT to 60 sec in policy, iphone set the OTP correctly but not android.

So i change to 30sec and it works

Thanks for help
br,

Cnopix.