Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Please add more details on "Token is unsafe!" message #287

Open
ChristianStadelmann opened this issue Jan 9, 2023 · 9 comments
Open

Please add more details on "Token is unsafe!" message #287

ChristianStadelmann opened this issue Jan 9, 2023 · 9 comments

Comments

@ChristianStadelmann
Copy link
Contributor

When scanning a QR code from Microsoft's mfasetup on https://aka.ms/mfasetup, I get this warning:

Token is unsafe!

The token you are attempting to add contains weak cryptographic parameters. Use of this token is stronly discouraged! Please alert your token provider.

[Cancel] [Add Anyway]

It might be useful to have more details on why the token is unsafe, e.g. some text about the algorithm (cipher, key exchange mechanism, parameters, …). If possible, it would also be nice to tell why the token is unsafe.

Version info:
FreeOTP 2.0 (24) from F-Droid repository on Android 11.

@yanivhs
Copy link

yanivhs commented Jan 9, 2023

I'm using a sha512 tokens, and also got this message...

Looking at the app code, you can see it expect it to use uppercase letters while in the examples they are in lowercase.

@ChristianStadelmann
Copy link
Contributor Author

ChristianStadelmann commented Jan 9, 2023

Looking at the app code, you can see it expect it to use uppercase letters while in the examples they are in lowercase.

Thanks for this hint, I've created #288 for that.

Nevertheless, it would be interesting to have more details in case of a "Token is unsafe!" message, so I'll leave this issue open.

@ninernet
Copy link

I recently (3 January) factory-reset my phone and reinstalled the app. I didn't even look for options to back up what I already had set up in the app (and I don't think they existed in the version I had installed at the time) as I assumed that getting set up again with the vendors that require the use of an authenticator app would be straightforward. How wrong I was!

I only had two vendors set up in the app. The first one I tried to re-set up is a company where I expect issues on an almost daily basis, and I got the "Token is unsafe!" warning. I brought it to their attention last week and I am still awaiting a response on how I should proceed. With my bank today I did not expect this warning, and after half an hour of trying to help me they gave up and opened a ticket with their IT department.

So yes, per the original poster some additional information would probably be useful. But since this is affecting a bank and Microsoft (as opposed to mom-and-pop outfits), I'm actually wondering if this might be a bug. Supposedly I will hear from my bank tomorrow, but in advance I've been trying to find information on this issue so that I can look semi-intelligent when they call.

@mokraemer
Copy link

It looks like freeOTP requires that tokens have at least 128bit (26 base32 coded digis). Otherwise it is considered unsecure.
It would be very helpful to show this hint. 80 bits (16 base32 digits) were accepted before and are still by the ios app.

@justin-stephenson
Copy link
Contributor

It looks like freeOTP requires that tokens have at least 128bit (26 base32 coded digis). Otherwise it is considered unsecure. It would be very helpful to show this hint. 80 bits (16 base32 digits) were accepted before and are still by the ios app.

Yes, due to https://www.ietf.org/rfc/rfc4226.txt algorithm compliance requirements but I agree we should more clearly state this in the error message. We should also establish uniformity with FreeOTP iOS, and perhaps provide an option to ignore this insecure warning and add the token anyway.

@mokraemer
Copy link

it is ok, to force better keys. But e.g. php gangsta has a default length of 80 bit. And I was confused that now I was warned about unsafe "algorithm" and did not know "only" the length should be extended >128

@kingma-sbw
Copy link

I'm not sure if the hint to swap the OTP app just for GH is an acceptabel solution.

@telephon
Copy link

telephon commented Jan 8, 2024

Also, the QR-code displayed after the scan doesn't visually match the original QR-code – this is very confusing. I would expect such a behavior from an app that has been tinkered with.

@michaelni
Copy link

I also run into this ;(
The quoted RFC4226 is about HOTP, the message is displayed for TOTP too.
Besides this, the message "Token is unsafe" is a stretch. Assuming you could use the whole worlds speciallized ASICs from bitcoin mining to break a single 80bit TOTP it still would take over a year to bruteforce. IMHO the message should be toned down a bit and made more clear what the issue exactly is, it unneccesarily scares the user as it is without even giving clarity about what the issue is.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

No branches or pull requests

8 participants