OTP from Authenticator does not work with Acclaim/Cisco/Google and intermittent with OpenWrt Forum

Hi  

Would you please suggest whether Intercept X for mobile is managed by Sophos Central Mobile or Sophos Mobile on-premise or you are using the application as a free tool?

Hi Jasmin 

I'm using it as a standalone app, so it's unmanaged.

Hi  

Would you please confirm that your time setting of the mobile device?

It should be set to automatic or based on the Network, not the manually set to any time zone as it might cause issues for the authenticator to provide time-based OTP authentication.

It's set to automatic, so it pulls the network-provided time and time zone. Authenticator works in Blur (by Abine), Microsoft, (ISC)2 and ProtonMail, which is why I am confused why it doesn't work "universally" with the four sites I have mentioned above.

Hi  

Then probably, there is a compatibility issue with these websites as I can see Cisco defence Orchestrator which is responsible for multi-factor authentication only supports Symantec VIP access, Google authenticator and OneLogin OTP.

For Cisco, I can agree with your response. When I scanned the QR code back then, Authenticator said the QR code did not contain something it needed. I can't remember the exact message, but I think it has something to do with a part that forms the complete seed.

However, I'm not sure about that as the only factor affecting it. One of the sites I mentioned where Authenticator works is in (ISC)².  This site, in the process of activating 2FA, has a step explicitly saying to select the app I will use for my two-factor. Sophos is not on the list. The options available were Google Authenticator, Authy and a third option which I can't remember (I think it was Symantec VIP). For this account, I chose Google Authenticator on the selection but in actual it was still Sophos I set up, and surprisingly it worked.

Besides, your documentation explicitly mentioned Google as a site which could use it on. Yet, it does not seem to work. Any ideas on what else could be causing it?

For Cisco, I can agree with your response. When I scanned the QR code back then, Authenticator said the QR code did not contain something it needed. I can't remember the exact message, but I think it has something to do with a part that forms the complete seed.

However, I'm not sure about that as the only factor affecting it. One of the sites I mentioned where Authenticator works is in (ISC)².  This site, in the process of activating 2FA, has a step explicitly saying to select the app I will use for my two-factor. Sophos is not on the list. The options available were Google Authenticator, Authy and a third option which I can't remember (I think it was Symantec VIP). For this account, I chose Google Authenticator on the selection but in actual it was still Sophos I set up, and surprisingly it worked.

Besides, your documentation explicitly mentioned Google as a site which could use it on. Yet, it does not seem to work. Any ideas on what else could be causing it?

Hi  

I am not sure what can be causing the issue here, however, I will try to replicate this issue in my test environment and shall update you.

Hi  

I have replicated this issue, and have tested for (ISC)² site, which works fine as you suggested. I then tried to test with Acclaim and google and the authenticator worked fine for me, would you please try to re-install the app once? 

Hi Shweta,

Thank you for replicating the issue and conducting tests. I did an uninstall/reinstall per your suggestion, but the codes are still being returned as invalid for the sites in question.

Hi  

There is something which is changed in your mobile setting which has broken this as because for the authenticator we are following the principal RFC for TOTP and HOTP as mentioned in the document.

I also tested the same on my device and the acclaim and Cisco website working fine for me.