Transferred from google/google-authenticator#157

Instead of storing the secrets in the SQLite database, the SQLite database should store the alias of the SecretKey in a java.security.KeyStore. This will allow migration to more secure methods of storage in the future.

Note that you'll have to use a JCEKS instead of the default JKS.

Original issue 402 created by TriplexAccount.P.N on 2014-07-08T10:27:41.000Z:

Copied from google/google-authenticator#401 because it applies to Android app (as well?).

What steps will reproduce the problem?

1. Call Screenshot Function from the specific smartphone

What version of the product are you using? On what operating system?
Google Authentificator: 2.49

Please provide any additional information below.
In general, it is not possible to take a screenshot of any inner user interface from a banking app for security reason. The Google Authentificator can be comprimised by using a trojan with screenshot function. Please disable the ability to take a screenshot from the main interface from the Google Authentificator.

I login with my username and password on Github, and it asks for my two-factor authentication auth code. I enter the code after doing a "Sync now" under "Time Correction for Codes" in the Google Authenticator Android app (4.60 on Android 4.4) which says "Time already Correct".
When I enter the code in Github, it says "Two-factor authentication failed.". I reached out to Github, who says their system is saying the codes are not correct.
On the Google Authenticator display it says "GitHub", then underneath the dynamic 6 digit code, and under that it says github.com/myusername. On the right is the countdown clock image.

In case when there are multiple OTP codes, it would help if they are visually different.
Maybe allowing a user to set a color for the OTP account, or perhaps adding a icon/emoji on left/right side of the code.

I have more than one screen of passwords; I'd love it to only be a screenful. The best layout would be:

Google: [email protected] 123456

with the expiry time as a thin "progress bar" at the top of the screen, given that it's the same for all the codes (at least for me). (If there's some way of it being different, then it could be a thin bar under each line.)

With a layout like that, you could fit 10 or 12 codes on the screen and still have them as readable. Although also, assigning each a random pastel colour would also help to distinguish them, and making the grey text a lighter grey would improve matters too.

Gerv

When running authenticator 2.49 on a Blu Studio Energy running 4.4.2 the generated codes are incorrect.

I also have a nexus 5 running 5.0.1, when inputting the same token seed to both phones the 4.4.2 device never generates the correct codes, while the 5.0.1 device using the same seed generates the proper codes.

I've also tried inputting the tokens using QR codes to eliminate the chance of user input error. I've confirmed the token codes are wrong for multiple sites including github, gmail, aws, several online games.

The times are synced up and accurate on both phones, I've also attempted to use the app's "time correction for codes" feature in setup and it indicates no changes need to be made.

I've loaded the FreeOTP app from RedHat on the device and the token codes work properly in that app, which further supports it not being a time sync related issue on the device.

When I click on scan a barcode, my app crashes.
We are using zbar library to scan qr code ourselves and we also use zxing core jar.
Can you point to where should I be looking at
The log that I see is here
FATAL EXCEPTION: main
Process: zebpay.Application, PID: 24127
java.lang.NoClassDefFoundError: Failed resolution of: Lcom/google/zxing/client/android/R$layout;
at com.google.zxing.client.android.CaptureActivity.onCreate(CaptureActivity.java:159)
at android.app.Activity.performCreate(Activity.java:5995)
at android.app.Instrumentation.callActivityOnCreate(Instrumentation.java:1106)
at android.app.ActivityThread.performLaunchActivity(ActivityThread.java:2312)
at android.app.ActivityThread.handleLaunchActivity(ActivityThread.java:2421)
at android.app.ActivityThread.access$900(ActivityThread.java:153)
at android.app.ActivityThread$H.handleMessage(ActivityThread.java:1324)
at android.os.Handler.dispatchMessage(Handler.java:102)
at android.os.Looper.loop(Looper.java:135)
at android.app.ActivityThread.main(ActivityThread.java:5347)
at java.lang.reflect.Method.invoke(Native Method)
at java.lang.reflect.Method.invoke(Method.java:372)
at com.android.internal.os.ZygoteInit$MethodAndArgsCaller.run(ZygoteInit.java:904)
at com.android.internal.os.ZygoteInit.main(ZygoteInit.java:699)
Caused by: java.lang.ClassNotFoundException: Didn't find class "com.google.zxing.client.android.R$layout" on path: DexPathList[[zip file "/data/app/zebpay.Application-1/base.apk"],nativeLibraryDirectories=[/data/app/zebpay.Application-1/lib/arm, /vendor/lib, /system/lib]]
at dalvik.system.BaseDexClassLoader.findClass(BaseDexClassLoader.java:56)
at java.lang.ClassLoader.loadClass(ClassLoader.java:511)
at java.lang.ClassLoader.loadClass(ClassLoader.java:469)
at com.google.zxing.client.android.CaptureActivity.onCreate(CaptureActivity.java:159) 
at android.app.Activity.performCreate(Activity.java:5995) 
at android.app.Instrumentation.callActivityOnCreate(Instrumentation.java:1106) 
at android.app.ActivityThread.performLaunchActivity(ActivityThread.java:2312) 
at android.app.ActivityThread.handleLaunchActivity(ActivityThread.java:2421) 
at android.app.ActivityThread.access$900(ActivityThread.java:153) 
at android.app.ActivityThread$H.handleMessage(ActivityThread.java:1324) 
at android.os.Handler.dispatchMessage(Handler.java:102) 
at android.os.Looper.loop(Looper.java:135) 
at android.app.ActivityThread.main(ActivityThread.java:5347) 
at java.lang.reflect.Method.invoke(Native Method) 
at java.lang.reflect.Method.invoke(Method.java:372) 
at com.android.internal.os.ZygoteInit$MethodAndArgsCaller.run(ZygoteInit.java:904) 
at com.android.internal.os.ZygoteInit.main(ZygoteInit.java:699) 
Suppressed: java.lang.ClassNotFoundException: com.google.zxing.client.android.R$layout
at java.lang.Class.classForName(Native Method)
at java.lang.BootClassLoader.findClass(ClassLoader.java:781)
at java.lang.BootClassLoader.loadClass(ClassLoader.java:841)
at java.lang.ClassLoader.loadClass(ClassLoader.java:504)
... 15 more
Caused by: java.lang.NoClassDefFoundError: Class not found using the boot class loader; no stack available


I understand that this class is not found,but fail to understand why it is calling my app.

Thanks, Any help will be appreciated

What steps will reproduce the problem?

1. Open Authentication
2. Try to put Begin Setup button
3. Immediately unfortunately, authentication has stopped

What is the expected output? What do you see instead?
Immediately unfortunately, authentication has stopped

What version of the product are you using? On what operating system?
Package version 49
package version name: 2.49
On Android
device: LG G3

Please provide any additional information below.

This issue was originally reported on google code (https://code.google.com/p/google-authenticator/issues/detail?id=353) and then reopened on github (google/google-authenticator#346) but both records are closed.
However the issue still occurs.

Workaround
Originally posted on google code and reproduced at http://lifeisabug.com/google-authenticator-crashes-account-setup-workaround/

1. Open Authenticator but do NOT press the “Begin setup” button.
2. Instead, select “setup account” from the option menu.
3. Then from another device, go to https://accounts.google.com/b/0/SmsAuthSettings, select “Move to a different phone” and scan the QR code.

How to reproduce:
1- Open Autenticator
2- Choose "Start Configuration"
3- Choose "Read Barcode"

Application crashes before camera opens.

Android Version: 5.0
Celphone: Motorola Moto X second generation.

I am trying to clone my company's github repo. After I 'git clone' the repo Github login box comes up. I put my username and password and now I am asked for two-factor authentication. I get the code from the Authenticator app on my Samsung S7 and put it in just to see 'Logon failed' in command line. I already synced the time in the app, it was right in the first place.

I am locked out from accessing my own work and this happened to me for 2nd time. The last time it I was able to get the authentication code that works by using my old mobile.

Edit:
It worked for me now as well by using my old mobile which means that the authenticator app on my new mobile generates wrong codes. How is it possible? Why the codes generated by my newer mobile are completely different (and wrong) than the codes generated by the old mobile (I was comparing the two apps for a few minutes.)

When I perform this sequence of events, the context menu on screen disappears:

1. Long Click on code item
2. Orientation Change

Device: Nexus 4
Android Version: 5.1.1
Build number: LMY48T

Steps to reproduce:
Installed Google Authenticator from Play Store
Launched the app
Clicked on "BEGIN"
Below "Add an account" clicked on "Scan a barcode" and got the message popup saying "Barcode scanner is not available now" with "OK" to click.
Tried installing few barcode scanners app from Play Store and then trying to add account, result is same. See attached screenshot.
Please suggest if there is any workaround for this issue.

Are you pursuing FEDRAMP Approval for Google Authenticator for Government Agencies? Is there any plans of initiating this process within the near future?

Authenticator should copy codes to the clipboard on a single tap. For me, copying codes is one of the most frequent operations I perform in Google authenticator. Switching to a single-tap copy workflow would shave off a few seconds in copying codes which would help me not run out of time to use them. Red Hat's FreeOTP application has this functionality already.

Current Workflow

1. Open Authenticator.
2. Find appropriate identity.
3. Long-press code.
4. Tap copy icon.
5. Code is in clipboard.

Proposed Workflow

1. Open Authenticator.
2. Find appropriate identity.
3. Tap code.
4. Code is in clipboard.

I noticed a few days/weeks ago that all tokens generated by the Google Authenticator app were deemed invalid. None of the accounts/websites accepted the generated keys. Nothing obviously happened on my phone. I didn't reset it, didn't replace it with a new handheld or anything else.

After some fiddling around and changing the date/time settings and setting the checkbox on "Use 24-hour notation" in the Android settings the issue was resolved.

Apparantly the Authenticator app does not work properly anymore when the 24-hour vs am/pm notation is changed.

It is unclear to me why the 24-hour notation was changed into am/pm in the first place, as I prefer 24-hour notation. However, this could have been my kid fiddling around on my phone or I could have done it by accident. But nevertheless, the Authenticator app shouldn't stop working after changing time display settings.

I believe this is a bug.

On iOS the token numbers are grouped like "123 456", which makes much more readable when logging in. It would be a good idea if the Android version would do the same.

Also the blue colour for the token helps to read the numbers.

Android Wear integration would make using 2-factor authentication a much simpler process when you don't have to hunt for your phone every time you want to log into a website/service. This feels like a significant omission in the Android ecosystem.

Hi guys!

How do you guys feel about add those 3 values (account name, key and time based) through the intent from another app in EnterKeyActivity?

The thing is, I have all this values and I'd like to make the process to enable it easier. In this way the user will only need to tap ADD button.

Currently all entries are sorted in the order how they were originally add, this is sometimes very annoying if you have more than a few entries. It would be a good addition to let the user sort them manually.

Where do I find the updated source code of the Google Authenticator (v4,74) (with integrated barcode scanner, material design, etc.) as described at the Play Store?
Is it available at all?

It would be great if the Google Authenticator would have support to store the secret keys on an external secure storage like YubiKey. The current implementation is not very secure as the secure keys are stored as a plain text in the SQLite DB. If the device is compromised, the attacker can potentially compromise the account secured by the secret key.

The implementation should be similar to Yubico Authenticator. That would allow to secure applications which do not support YubiKey directly.

Ever since I upgraded to Android 5.0 Authenticator codes no longer work and if do Settings -> Time correction for codes -> Sync now the app crashes.

Referenced here. I have two devices, both using the same 2fa keys, but at any given time, they show different passwords. One, a Samsung S7 will sync with google servers and display the message "Time already correct". The other, a Samsung Note (Android version 4.4.2) gives the error "Sync now: There was a problem contacting Google's server. Please check your network settings and try again."

Both devices are connected to the same wifi network and both are using the latest version of the app. Any help is appreciated.

While scanning a QR code to help my friend setup an account for a service we both use, the authenticator simply overwrote my previous hash and put his in it's place, instead of either creating another entry or simply giving me a prompt asking me if I confirm the operation.

As a side note, now I can't recover my acess to said service anymore, since I don't possess the unlock code and seemingly there's no google account linked to that hash. I can't believe such a thing really wasn't thought about, it's a basic security flaw.

I'm using Android 4.4.2 and latest version of the authenticator from playstore.

There were made serveral bug fixes in since it was placed on github. Please release those to the app market, the fixes were necessary for me to let this app work. i do now have a self compiled apk on my phone....

I noticed that my codes were not working with my Github account. Assuming it was a time sync issue, I tried to perform time correction and received the following error:

There was a problem contacting Google's server. Please check your network settings and try again.

Upon making a new account, I tried enabling 2fa via Google Authenticator again and the codes did not work.

We really need a password protection / pin to enter the app and save the local data as encrypted.
I am very surprised this feature is not in the app, seems VERY basic security (you can't count only on the Android login passord for access security)

regards

Sean

Reopened from Issue 411 under google-authenticator (which was closed because that repo is apparently not for the android version anymore...)

Original issue 412 created by nick.krabbenhoeft on 2014-07-30T06:30:03.000Z:

What steps will reproduce the problem?

1. I enabled 2-step verification for a Google Apps for Non-Profits account. It works
2. I go to my phone's Authenticator which I use with my Gmail account, and try to add the Google Apps account
3. Error, "Continue on a computer."

What is the expected output? What do you see instead?
I expect a new account to be added. I receive instructions to "To enable 2-step verifcation, visit accounts.google.com/security..."

What version of the product are you using? On what operating system?
Authenticator 2.49 on Android 4.4.2

Please provide any additional information below.
I've tried disabling and re-enabling 2-step to know effect.

We are currently using Google Authentication for our Multi-factor authentication. However, the system is not accepting the Google code that is being returned to International users with an international phone.

We have done a bit of testing internationally and have found that it is working when a US based Phone and person is internationally based but is not working for an international based phone and person in the same location.

The internationally based user was able to download the app to the internationally based phone, and receive the code when prompted, however, the system does not accept the code. They received a “response Invalid” each time. We tried a few times and got the same results. A US based user and phone was able to receive the code and successfully login to the system.

We have not been able to find any information that limits the use of Google MFA to US based carriers.

The initial counter value for HOTP registrations should allow the full 8-bytes as specified in RFC 4226.
Currently the com.google.android.apps.authenticator.AuthenticatorActivity parseSecret() method is attempting to parse the counter from the scanned QR code using

Integer.parseInt(counterParameter);

This should clearly be using

Long.parseLong(counterParameter);

and everywhere the counter is declared, it should be using Long not Integer.
The manual key entry screen should also allow for counter entry if possible.

When I perform these sequences of events, the scroll view on screen goes back to the top:

Sequence 1:

1. Click on More...
2. Click on Settings
3. Click on Time Correction
4. Click on About this feature
5. Scroll Down
6. Orientation Change

There are several comments in Google Play about the crashes in Android Lollipop (specially in LG G3 mobile).
In my device (LG G3) with Android 5.0 crashes when I press "Start configuration" and when I select (in menu) "Configuration" > "Hour correction in codes".

As Blizzard Authenticator, we can set a widget on home screen to update the one-time pasword and not need to access the app.

hi all. when i worked at google, i loved that i could get an OTP over bluetooth and confirm by knocking on my phone while it was in my pocket (to prevent unauthorized requests). any chance you could add that to this open source app? thanks in advance!

original issue google/google-authenticator#176. original original issue 177 in google code project:

Suggestion to create a mechanism to retrieve OTP over bluetooth for the Android Google Authenticator Application

User would put the cursor on a text box in the browser and then hit a (configurable) key combination (e.g. CTRL+SHIFT+i) and it would automatically get an OTP code from the phone´s application and paste it into the text box.

This would probably need an accompaining Mac and Windows client aplication that would have to run as a service and intercept the key combination in order to then request the code to the phone.

This would make the usage of OTP much more practical.

I encountered always wrong verification code on my phone, e.g. 396731, correct is 396709.

The correct code is found by using php's Google Authenticator's source code. The wrong code is 22396709 mod 999999, instead of mod 1000000 (always reproducable). The tested phone is Lenovo S930, android 4.4.2.

Not sure if the bug is related to the logic in this project. Thus reported here for reference.

Some corresponding parameter of the final code 396709

hmac output: 287f5c148333f125aa4507950eca8155bf25556e
final 32-bit integer before mod 1000000: 22396709

Not to get code and password

I wonder if it is possible to change the key generation of dynamic way?

Changing the getSecret () method it is possible to generate the token, but in validation in the application is not possible.

One observation is that I'm not using google but in a company's authentication system.

As I add more and more things to my Google Authenticator, I come to realise that every account has a unique and annoying way to recover if the seeds are lost. Google has backup codes which aren't too bad, but other sites sometimes require contacting support and the like.

What I really want to be able to do is send my Authenticator seeds from an old device to a new one e.g. via QR code scanning, Android Beam, etc.

Is this feature acceptable to the maintainers? If so, I might try my hand at implementing it, as it's time for me to replace my phone and I don't want to have to manually go around all six accounts and scrobble with the migration.

The Google Auth Android client works well for a few entries. People like me have about 20 entries, not sorted (well sorted by when you've added them which is meaningless). You should be able to:

Sort them (manually, by issuer, or by provider, at least one of those)
Possibly group them together in one level tree

otpauth://totp/ckpool:ckolivas?secret=46PABKV2HL2BYL5P&algorithm=SHA256&issuer=BitclubPool

I'm setting the SHA256 parameter in the above example but google-authenticator doesn't seem to be using it correctly(it works fine in the Red Hat FreeOTP app). I'm setting the parameter based off of this readme.

The Android client should allow editing the issuer (what looks like the title of each row). It's not a security element as one can easily hack it to add it in the QR code URL.

What steps will reproduce the problem?

1. Go to auth setup page (Google, Amazon AWS, ...)
2. Scan code or enter code manually
3. New entry added to Authenticator
4. Codes wont be accepted to verify Authenticator ("Wrong code. Please try again"

What is the expected output? What do you see instead?
Not able to use Authenticator as "connection" wont be verified.

What version of the product are you using? On what operating system?
Authenticator v2.49 on Android 4.4.2 (latest available for my phone [Wiko Highway Signs])

Please provide any additional information below.
Never had any problems with the Authenticator on my old phone (Samsung Galaxy S).
Disabled 2-step auth properly before trying to add the auth on the new phone.
Setting up auth does not work with any "provider" (Google, Amazon AWS, ...).
I did sync the time in Authenticator (No update required, time already syncronised); I re-installed Authenticator; I rebooter the phone; I uninstalled Authenticator, rebootet the phone, installed Authenticator again; nothing helped.

Thanks for your help!

Android 6.0.1 / Samsung Galaxy 7 Edge

Installed authenticator from the store. Run authenticator, Tap "Begin setup", tap "Scan a barcode", back to the "Begin setup" page rather than the scanner opening to scan the QR code.

This seems to be in an infinite loop. I have used the authenticator succesfully on other android devices but not seen this issue before. Have re-installed a couple of times with no success and cannot find any help elsewhere for this issue.

Any ideas?

On large screen devices it is easy to read from a distance all the codes displayed on the screen, even though I only ever need one of them at a time.

Please add a setting to have all the codes hidden by default so I can just show the one I want to use instead of exposing all of them to shoulder-surfers.

I know the risk from exposure in this regard is low, but it is still an unnecessary risk that can be easily mitigated.

The currently available version in the Play Store is Google Authenticator 2.49, while the source here reflects the already very old version 2.21.

It would be very nice by Google to provide source code for the latest release as well, which I would highly appreciate for such a sensitive security application like a secure token generator.

When I perform these sequences of events, the dialog on screen disappears:

Sequence 1:

1. Long Click on code item in list
2. Click on Rename
3. Orientation Change

Sequence 2:

1. Long Click on code item
2. Click on Remove
3. Orientation Change

It would be great to allow to manually set the server time correction, for when the device is offline for extended periods. This is not a huge problem when the clock drifts forward, but renders the program nonfunctional when the clock drifts more than 30 seconds backward.

I just try to set up a new account and it crashes.
Samsung Galaxy S5

My mobile phone died yesterday (android 5.1.1 Nexus 5).

Today I set up the replacement (android 5.1.1. Nexus 6). But after installing google-authentticator only the google account appears. None of the others do. I am pretty messed up trying to access my diverse accounts now. Not to mention that the account list was very long and I can't even find a way to list up for which services google authenticator was set up.

Has something gone wrong? Or is this expected behaviour?