i work with privacyidea and it’s a great tools
i have an issue :
When i create a token with admin right, and i scan the QR code with android phone or IOS phone i have the same OTP code.
But, when i create a token with user right and i scan the QR code with android phone and IOS Phone i don’t have the same OTP and only the IOS OTP works.
i test iphone X, iphone XI, google pixel and huawei P SMART Z
on each phone i use google authenticator.
it’s very strange.
Can you help me ?
You probably have different policies for your admins and your users.
I guess admins and users are using different settings, probably different hash algorithms.
Google Authenticator sucks. You should only use google authenticator with SHA1.
Last time I check I think Google Authenticator on Android supported sha256 and on iphone it did not. Or the other way round.
You might consider using the privacyIDEA Authenticator, which supports sha1, sha256 and sha512 on android and iphone.
Or: Check your policies!
thanks for you help cornelinux.
if i scan QR code on user interface with android and iphone it works only for iphone.
if i scan from admin interface, it works for both.
i need google authenticator because a lot of user use it for other 2FA.
i check my policy but i don’t see a difference for android or IOS.
you also have token settings not in policies but in the Config->Token. Check these as well! Make sure that everywhere is set SHA1.
i check and SHA1 is selected.
As I already explained: You have different policies for admins and for users and you are creating different QR codes with different hash algorithms as admin or user.
So you configured your system in a way, that results in this behaviour. This is possible. Nothing wrong.
We can not know, what you have configured.
You need to take a closed look at
- what your policies are,
- what you select in the rollout dialog
- what the QR code looks like.
Suggestion: Scan the QR codes with a qrcode scanner, that simply reads the code, and you will most probably see that you have different entries for the hash algo in the codes.
i scan with a QR code scanner and i have the same URL on android and IOS but, the OPT is not the same :s
so i think it’s not a policy or user problem.
We are doing circles here:
You said you have different results if
a) the admin creates a token or
b) the user creates a token.
yes that correct.
from admin, if i scan the QR code with a QR code scanner i have the same URL and the same OPT on android and IOS.
from User, if i scan the QR code with a QR code Scanner i have the same URL but not the same OPT on androit and IOS and only IOS Works.
You see. And now you have to go back to the start and read my first comment.
After research today because an android phone come to my office i find that if i set the time for OPT to 60 sec in policy, iphone set the OTP correctly but not android.
So i change to 30sec and it works
Thanks for help