Differing TOTP codes

Ask the Community Password Manager
, ,
1

Hi,
I notice the TOTP is not synching between iOS and Windows app/Browser plugin. Even if I click on sync several times, they do not match and have different TOTP on each device.

for example, when I set 2FA for this site, if I set it on the Windows app, I can’t login using the browser or iphone app and vice versa… I have tried to remove 2FA from all devices, but it doesn’t work… something is wrong.

When I add the TOTP to one device, the other devices synchs but with a completely different TOTP.

2

See here: Integrated Authenticator – Troubleshooting | Bitwarden Help Sites

PS: To add a bit more to my lazy answer before :sweat_smile:: most likely you have to sync / update the time on your devices - the TOTP codes are generated by the underlying TOTP seed codes / “secret keys”, depending on the current time of the device → TOTP = time-based one-time-password(s)… best thing is, to activate automatic time synchronizations for all devices, if not already set… (I had this once on Windows 10 or 11 myself… for whatever reason, the automatic time sync was deactivated…)

3

I have all devices on my network get the time automatically from the router. All devices hve the exact time almost to the second.

4

The underlying seed codes in the field do sync properly and are identical? Only the 30-second-codes differ? - Can’t think of anything else than the time of the devices, causing this… :thinking:

5

If the secret key is a URL, it is possible to change the algorithm , digits and the period. If these do not match, the same codes will not be generated.

I have seen some web sites that do not use the defaults – SHA1, 6 digits and 30 seconds. Those doing so really are doing little more then exposing themselves to being the first to discover bugs.

6

Yes, but I understood OP like the “string” is the same in the TOTP field in a login item, but the resulting TOTP code is different depending on which app/device accessed. (?!) And even with a customized URL string - that should produce the same code for a certain time, regardless from which app/device you access it. Or shouldn’t it?

7

Nothing is the same…this is very strange as I have never encountered this issue with Bitwarden before :disappointed_relieved:

8

Okay, to be absolutely sure about what we are talking here:

You mean, for the exact same login item, when you access it from your PC and go into “view item” or “edit item”, you see this (example!) as your “authenticator key” (made visible by clicking the “eye” :eye: symbol):

2025-02-26--00-25-15-vivaldi_jQh3qvjk5S
2025-02-26--00-25-15-vivaldi_jQh3qvjk5S606×605 24.1 KB

… and when you access that exact same login item from your phone (or whatever), you don’t see the same (example) authenticator key “abcdefg”, but a different key, like this:

2025-02-26--00-25-32-vivaldi_jv6gFkwDXS
2025-02-26--00-25-32-vivaldi_jv6gFkwDXS606×600 23.9 KB

Right?

And just to check the obvious: you are logged in to the same Bitwarden account in the same server region on the regarding apps?

That quote is from your first post… When you clicked on sync in your BW apps - do they show a recent date for sync everywhere? (like Feb 25 or 26, 2025 ?!)

9

Even If I copy and paste the authenticator key on both devices…it creates different codes.

10

Yeah, okay, the codes that are created are different… so much was clear from the beginning :sweat_smile:

But when you copy and paste the authenticator keys - are they different after that also?? Or are they the same?

(as you wrote before:)

11

Nothing stays the same even with the same keys.

12

It might be worthwhile installing ente auth, google authenticator or another competitor to see if all apps on a device generate the same code, or if you can identify other patterns.

I know you said you checked the time, but this completely seems like a clock issue. It sounds stupid, but you also validate the month, day, year and timezone too? Timezone is not set by NTP and it “shouldn’t” matter for TOTP, but no sense leaving anything to chance. Another trick, go to https://time.is and make sure it says both of your clocks are within a second or so of the reference time.

1 Like
13

I also think (still), that it’s a time-related thing…

@Macster Did you identify the device that creates the valid TOTP codes? - Then you can concentrate on the the device(s) that create the invalid codes…

PS: You wrote before:

Though that doesn’t explain the difference in the resulting codes on the different devices… but did you e.g. check the time sync of the router itself also? (and/or sync the time on the devices with the invalid codes with an internet server and not the router?)

PS: Though I think the current device should be the deciding thing - you wrote you self-host… was there a change with that the other day? I don’t know if the server must also be “time synced”? :thinking:

14

I selected I self host just to select a 3rd option one as I didn’t know what else to select from the list other than Windows and iOS

15

Okay, I changed that to “default-cloud” then.

16

The issue seems to have been resolved…now the TOTP matches :person_shrugging:t2:
I’m 99.99% sure it was user error.

17

Good to read, that it works now again!

I marked your post as “solution” then.

PS: @Macster It may be irrelevant now, what it was… - but if it was something we all could learn from, maybe you can illuminate what the “user error” was?