FreeOTPPlus icon indicating copy to clipboard operation
FreeOTPPlus copied to clipboard
verified publisher icon helloworld1

HOTP token wrong start counter?

Open adrianimboden opened this issue 4 years ago • 2 comments

Hi team

Thanks for your great app, I use it on a daily basis :)

I am working on implementing HOTP on my application (as prerequisite for TOPT). To verify my implementation I used FreeOTP+.

I got shifted values and I'm not sure if the problem may lie in the apps code (I assume HOTP is not in use quite broadly compared to TOPT)

I think that this piece of code makes it so, that the start value begins with -1 (or wrapped: max uint64): https://github.com/helloworld1/FreeOTPPlus/blob/f2dc184000bfc226367d44894a24c9d16ed5fc95/token-data/src/main/java/org/fedorahosted/freeotp/data/OtpTokenFactory.kt#L65

If I use max uint64/-1 in my code as counter value, I get the same value:

Output of my application:
[test] b32 key: MFRGG===
[test] value: -1: 97414
[test] value: 0: 70717
[test] value: 1: 51739
[test] value: 2: 19424


Output of the FreeOTP+ application:
1. click: 97414
2. click: 70717
3. click: 51739
4. click: 19424

I did not see anything in the RFC that the counter should start with -1. Do I understand something wrong?

adrianimboden avatar Dec 17 '21 00:12 adrianimboden

Hmm, i think it's related to a refactor done. Will need to check the behavior. I wonder if -1 count is causing any major issues or minor inconvenience.

helloworld1 avatar Jan 14 '22 07:01 helloworld1

Maybe it only happens when adding the configuration manually? I did add it without QR Code for my test. That use case is probably not so common.

adrianimboden avatar Jan 14 '22 12:01 adrianimboden