My phone is... from the future ?

  • SpinRite v6.1 Release #3
    Guest:
    The 3rd release of SpinRite v6.1 is published and may be obtained by all SpinRite v6.0 owners at the SpinRite v6.1 Pre-Release page. (SpinRite will shortly be officially updated to v6.1 so this page will be renamed.) The primary new feature, and the reason for this release, was the discovery of memory problems in some systems that were affecting SpinRite's operation. So SpinRite now incorporates a built-in test of the system's memory. For the full story, please see this page in the "Pre-Release Announcements & Feedback" forum.
    /Steve.
  • Be sure to checkout “Tips & Tricks”
    Dear Guest Visitor → Once you register and log-in please checkout the “Tips & Tricks” page for some very handy tips!

    /Steve.
  • BootAble – FreeDOS boot testing freeware

    To obtain direct, low-level access to a system's mass storage drives, SpinRite runs under a GRC-customized version of FreeDOS which has been modified to add compatibility with all file systems. In order to run SpinRite it must first be possible to boot FreeDOS.

    GRC's “BootAble” freeware allows anyone to easily create BIOS-bootable media in order to workout and confirm the details of getting a machine to boot FreeDOS through a BIOS. Once the means of doing that has been determined, the media created by SpinRite can be booted and run in the same way.

    The participants here, who have taken the time to share their knowledge and experience, their successes and some frustrations with booting their computers into FreeDOS, have created a valuable knowledgebase which will benefit everyone who follows.

    You may click on the image to the right to obtain your own copy of BootAble. Then use the knowledge and experience documented here to boot your computer(s) into FreeDOS. And please do not hesitate to ask questions – nowhere else can better answers be found.

    (You may permanently close this reminder with the 'X' in the upper right.)

Cozmo

Active member
Oct 8, 2020
27
3
Montreal, Canada
Was debating posting this here or in Software... but I will label this one as a "riddle me this, Batman"...

My phone is a Galaxy S9 (SM-G960W) with Android 10, Security Patch level Nov1-2020 (latest available).
I have many apps on my phone, namely Microsoft Authenticator and Google Authenticator.

I use MS Auth has about 20 accounts, one of which is NOT push-notification -enabled.
So when logging on to that site, I need to grab the code and authenticate. (This site also has a little link underneath the entry box where I can have that site send me a code by e-mail, more on this later...)

For the past 3 months, I login with username/password and get challenged for a code. Everything normal so far. I then enter the code and get refused, saying invalid code. "Ok, weird" I think. I fiddled around with it enough that I discovered that if I enter the code given to me via the App and get refused, I can then click the "send code by e-mail" and IMMEDIATELY click login (still with the code from the App, NOT the one in the email) - and am granted access.

( I ended up speaking with a programmer at this website, he monitored the codes I got and could confirm via the API that the code was valid).

Weird right ? Ok, park that.

I use Google Authenticator for two sites.
Site #1, I type in my username/password and get challenged. Type in my code (let's call it Code-A), refused.
Wait 30 seconds for a refresh, type in Code-B, refused.
Wait 30 seconds for a refresh, type in Code-C, refused.
Just for kicks, type in Code-A (now over a minute "old") - Access Granted ?!?!?!?

Site #2, works fine, username/password, challenge, code, access granted. Nothing to see here.

It appears my phone is providing codes that are timed somewhere in the future and I have to wait for Time to catch up ?

Any advice/ideas on this please ? I'm looking to avoid a factory reset (which I haven't done yet).
 
Do you have enough access to the problem sites to check out whether their clocks are correct ( to the second)?

Alternatively, could it be that they are very busy, and whilst the code is generated, it takes a couple of seconds to update the database for the verification step.
 
@Cozmo It probably is time related. Check that auto time update via NTP is turned on on your phone and that its time is accurate. You can use time.gov as a reference. If needed, you may be able to force a time update. Otherwise, as @AlanD says, it's probably the time at the remote site. I think the authenticator system allows a fudge factor to maybe the previous or next code but someone else would have to confirm that.

May your bits be stable and your interfaces be fast. :cool: Ron
 
TOTP authentication apps use the local time, on the assumption that the clock is close enough to accurate (and the further assumption that server side will have a highly accurate clock.) When you send your code to the site, the site has a certain tolerance for time slippage, maybe up to 30s or so.
 
Definitely a time sync issue. Make sure the device's time is synchronized and using the same timezone as the server. We've had similar issues when people manually set their clocks on their smartphones.

Not suprisingly, TOTP stands for Time-based One Time Password. The generated token depends on the actual timestamp given by the device where it is generated. The server tha validates can be configured to tolerate a gap in the clock difference, so it can vary from seconds to minutes depending on how administrators configured it.
 
Definitely a time sync issue. Make sure the device's time is synchronized and using the same timezone as the server. We've had similar issues when people manually set their clocks on their smartphones.

Not suprisingly, TOTP stands for Time-based One Time Password. The generated token depends on the actual timestamp given by the device where it is generated. The server tha validates can be configured to tolerate a gap in the clock difference, so it can vary from seconds to minutes depending on how administrators configured it.
You don't need the same timezone as the server, it just need to be set correctly so the server and client can get the same time in UTC.