OTP from Authenticator does not work with Acclaim/Cisco/Google and intermittent with OpenWrt Forum

Hi everyone,

 

Quick question on the Authenticator module of Intercept X for Android. I noticed this back then but didn't pay much attention until today.

 

I enabled 2FA for my account in the OpenWrt forum, and I used Intercept X for my authenticator instead of Google's. When I logged in today, I noticed that the site keeps on saying I entered an incorrect code even if I made sure I typed it within the time it was valid. I waited for it to change and entered a new one then retried, but it still doesn't go through. The first three instances I tried, I was entering the new code during the first half of it's duration (I'm referring to the circle that slowly fills out as the time lapses). Since it didn't go through, I decided to wait for the duration to lapse into the second half and entered the code. By some miracle, the site took it.

 

Now the reason why I decided to ask today is because I have encountered a similar issue before with the Acclaim website by Credly as I have an account there for my digital badges. It worked for a few months then suddenly stopped working, and by that I mean the site keeps on saying the codes generated are incorrect regardless if the code's validity is within the duration or even after. I decided to ignore it at the time so I just disabled 2FA for my Acclaim account. Then after some time, I found time to move my 2FA for my Google account to Intercept X. The setup completed successfully. But when I decided to test it by logging out then logging back in, the problem happens again: keeps on saying the codes are incorrect. I had no choice but to put it back to Google Authenticator. For some reason this problem also happens in my Cisco account. When I try to set it up, it keeps on saying the QR code has something missing and I can't complete the setup. I had no choice but to use Google Authenticator for my Cisco account.  With what happened in my OpenWrt account today, I decided to ask.

 

Is there anyone else encountering this problem with the Authenticator for the sites I mentioned: Acclaim, Cisco, Google and OpenWrt? If so, can you share what you did as a workaround? Thanks in advance.

  • Hi  

    Would you please suggest whether Intercept X for mobile is managed by Sophos Central Mobile or Sophos Mobile on-premise or you are using the application as a free tool?

  • In reply to Jasmin:

    Hi  

    I'm using it as a standalone app, so it's unmanaged.

  • In reply to macOng7:

    Hi  

    Would you please confirm that your time setting of the mobile device?

    It should be set to automatic or based on the Network, not the manually set to any time zone as it might cause issues for the authenticator to provide time-based OTP authentication.

  • In reply to Jasmin:

    It's set to automatic, so it pulls the network-provided time and time zone. Authenticator works in Blur (by Abine), Microsoft, (ISC)2 and ProtonMail, which is why I am confused why it doesn't work "universally" with the four sites I have mentioned above.

  • In reply to macOng7:

    Hi  

    Then probably, there is a compatibility issue with these websites as I can see Cisco defence Orchestrator which is responsible for multi-factor authentication only supports Symantec VIP access, Google authenticator and OneLogin OTP.

  • In reply to Jasmin:

    For Cisco, I can agree with your response. When I scanned the QR code back then, Authenticator said the QR code did not contain something it needed. I can't remember the exact message, but I think it has something to do with a part that forms the complete seed.

     

    However, I'm not sure about that as the only factor affecting it. One of the sites I mentioned where Authenticator works is in (ISC)².  This site, in the process of activating 2FA, has a step explicitly saying to select the app I will use for my two-factor. Sophos is not on the list. The options available were Google Authenticator, Authy and a third option which I can't remember (I think it was Symantec VIP). For this account, I chose Google Authenticator on the selection but in actual it was still Sophos I set up, and surprisingly it worked.

     

    Besides, your documentation explicitly mentioned Google as a site which could use it on. Yet, it does not seem to work. Any ideas on what else could be causing it?

  • In reply to macOng7:

    Hi  

    I am not sure what can be causing the issue here, however, I will try to replicate this issue in my test environment and shall update you.

  • In reply to Shweta:

    Hi  

    I have replicated this issue, and have tested for (ISC)² site, which works fine as you suggested. I then tried to test with Acclaim and google and the authenticator worked fine for me, would you please try to re-install the app once? 

  • In reply to Shweta:

    Hi ,

     

    Thank you for replicating the issue and conducting tests. I did an uninstall/reinstall per your suggestion, but the codes are still being returned as invalid for the sites in question.

  • In reply to macOng7:

    Hi  

    There is something which is changed in your mobile setting which has broken this as because for the authenticator we are following the principal RFC for TOTP and HOTP as mentioned in the document.

    I also tested the same on my device and the acclaim and Cisco website working fine for me.