Second authentication must not fail?

Hi Everyone !

I am setting up two-factor authentication in our small-sized company using Privacyidea. I got the server running and I am able to authenticate with the PIN and the next step shows up in which I should type in my One-time password from my Cellphone application. But each time I input a wrong OTP, the second try always fail. Im pretty much sure I typed in the correct One-time password the second time. I tired authenticating again from the start and it goes through successfully. Is it possible for a second try if I mistyped my One-time password? Just like from googlemail that I can try a couple of times, I think its up to 3 times. Hope you guys could help me.

With kind regards
Jojo

Hi Jojo,

please provide some more information:

  • where do you authenticate? Is it any application? this would matter because it heavily depends on how the application comunicates with privacyidea.
  • what token type are you using?

Each time I input a wrong OTP, the second try always fail.

It is supposed to work this way. Wrong OTP -> auth fail :wink:

If you are really sure, that you typed the right OTP value the first time, then your token might be out of sync. Out of sync means that the counter of an HOTP token differs a lot or the time of your token is much different to the servers’ time. Autosync would have the effect, that the authentication with the second OTP value would work.

See important information is: What tokentype are you using?

This is an old blog post of mine: https://www.privacyidea.org/getting-help/
Kind regards
Cornelius

Hi Cornelius,

ok here are some info I got from your old blog post:
Which way of installation did you choose?

  • I installed it using your guide for Ubuntu 16 in the documentation
    Which version of privacyIDEA are you running?
  • It says python-privacyidea 2.18.1-1xenial (dpkg -l python-privacyidea)
    What database are you using?
  • mysql since the config has SQLALCHEMY_DATABASE_URI = 'mysql://pi:xxxxxxxxxx@localhost/pi’
    In which webserver (Apache2, Nginx, integrate) are you running?
  • Apache 2.4.18
    How does you pi.cfg look like?
    import logging
    SUPERUSER_REALM = 'super’
    PI_ENCFILE = '/etc/privacyidea/enckey’
    PI_AUDIT_KEY_PRIVATE = '/etc/privacyidea/private.pem’
    PI_AUDIT_KEY_PUBLIC = '/etc/privacyidea/public.pem’
    PI_LOGFILE = '/var/log/privacyidea/privacyidea.log’
    PI_LOGLEVEL = 20
    PI_PEPPER = 'aaaaaaaaaaaaaa’
    SECRET_KEY = 'bbbbbbbbbbbbbb’
    SQLALCHEMY_DATABASE_URI = ‘mysql://pi:xxxxxxxxxxx@localhost/pi’

I’ll try to explain the problem in details. I am using the mysql database as my userstore for the users and tokens. My partner would like to integrate the authentication process using the REST API. In this part we are still working on it to integrate with our php based site. So for the mean time, I am testing the user access through the Privacyidea webgui for them to be able to manage their own tokens. With our basic setup, we can authenticate against the privacyidea server using totp,htop or paper tokens successfully. But it seems that the athentication does not another try if the one-time password entered is wrong. I was wondering if its the same as with the google two-step in their email service where in you are asked to “try again” if you entered the wrong one-time password.

What I did: I typed in my Username and the Pin, then it was authenticated and asked me for the One-time password (this user has only a totp token). I entered a wrong one-time password first and had the error “Authentication failed. Wrong credentials”. So I assumed I can try again and type in the correct one which my phone generated. But it still ended with the same error although I already entered the correct one-time password.

In summary, the proper qeustion I think would be:

  1. After a wrong one-time password entered, can I try again? It is common for users to make a typing mistake.
  2. Should I do the authentication from the start again if I did mistyped a wrong otp?
  3. If number 2 is yes, should’nt the page return to the start where you would enter your username and PIN/password again?

I hope you could guide me through this. Please excuse my english text, I am not a native speaker.

With kind regards
Jojo

Hi Jojo,

OK, now I understand! You are doing challenge response with a TOTP token at the WebUI.

In regards to the API. The first call with the PIN returns a transaction_id your colleague needs to pass the transaction_id and the otp in the second call.
The API also allows to do several second calls, if the first one did not succeed.
http://privacyidea.readthedocs.io/en/latest/modules/api/validate.html#post--validate-check

The WebUI however transmits an empty transaction_id in a second second call. This is why the second try with an OTP value fails.

I think we might consider this a bug :wink:
You are welcome to open an issue at github.

Thanks for looking into this and insisting.

Kind regards
Cornelius