-
Notifications
You must be signed in to change notification settings - Fork 59
No entries are shown #3
Comments
The main reason you'd encounter crickets would be if you had backups disabled. From the README:
Apart from that,
Yes! If you run the program with the environment variable |
Hey @alexzorin, thanks for the quick response.
So it seems that the backup is not working. I enabled the backup in the Chrome Extension, then looking at the Authy App on my phone, backups were still not enabled, which I then did again, but still got only crickets. What I wonder is: I see the API request with no results before I get challenged for the backup password. Is that by design? |
Yep. What happens is that we download the encrypted backup from Authy, and then we decrypt it locally. We don't need to prompt the user for the password until we have something to decrypt.
It's either that or you don't have any actual TOTP secrets. Authy has a proprietary type of token which is not true TOTP/RFC6238, but is basically a customized (and incompatible) version of the algorithm. For example, Twitch uses this kind of token and wouldn't appear in the API endpoint that we use. Back in the day, Cloudflare and Humble Bundle also used it, but then they migrated to regular TOTP. Today, the overwhelming majority of sites use real/standard TOTP. I haven't looked into reverse engineering how these TOTP-but-not-really tokens work, basically because it wasn't a personal need of mine and Twitch won't let me set it up unless I first give them my phone number (big sigh). |
I bet, you've read my comment on the gist. Yes, I was trying to get the Twitch TOTP-but-not-really tokens from the API. |
1Password probably has dual support for Authy's algorithm in additional to regular TOTP (but that's just speculation on my part, never used it). Of course, the other tokens are going to be stashed away in some other endpoint. Since at the time of development, I didn't have any such tokens, I pretty much ignored everything that I didn't need. From what I saw, there's some complicated-looking key wrapping going on for "other" Authy functionality and I noped right out of there when I saw it wasn't conducive to my goals D:. And to be honest, I'm unlikely to go back for it any time soon - I've since deleted Authy entirely. |
To me, it feels like "just" another TOTP secret that fell out of pudly's script, but I could be entirely mistaken.
Do you have an API documentation that I could use for looking into this further or did you reverse-engineer the whole functionality? |
I don't think there's any API docs for this stuff. I used the Chrome Extension+SSLKEYLOGFILE+Wireshark to figure out the network requests, and reading the Authy Chrome Extension minified source code for figuring out the crypto stuff. Doing just the first bit with an account that has a Twitch token should reveal pretty quickly which endpoint it's hiding in. |
🙄 Oh wonderful, SSLKEYLOGFILE, something I tried getting to work thrice and failed miserably. Oh well, it seems I will once again try to make that work. |
Although I have now added support for Twitch-type tokens, there is quite a significant downside. When you have a Twitch account in Authy and add multiple devices to your account, each account is assigned a unique and distinct TOTP secret for Twitch. When you login to Twitch, Twitch passes on your 7 digit code to Authy.com, who then check if it matches any of the TOTP secrets on any of your devices. This is distinct to normal TOTP flows, where the website you are logging to is the one who controls and evaluates TOTP login attempts. What this means is that Authy can revoke that token at pretty much any time. So if you imported it to 1Password and then deleted your Authy device (that authy-export added), it's possible that Authy will revoke that Twitch TOTP token after some time. So you probably need to keep that device added forever, and just destroy the device credentials instead. tl;dr; You can export the Twitch TOTP secret, but you're still married to Authy no matter what you do. |
I was wondering for like 5 seconds: why o why is the secret different but I'm still able to logon with that other secret in the OTP 🤔 That pretty much explains it. After all this can be regarded as a proof of concept. If twillio decides they want to be open to users of other authenticators and give a way to export them into another software, that'll be fine as well 😬 Thank you for your time! // Kai |
Re: Still married to Authy - I pretty much believe that that is the case no matter what I do, when I remove Twitch from the Authy app it might get de-authed at some point in time. |
Tried this. Once I removed the "Unknown" device from my Devices list in Authy, the TOTP that came from that secret no longer worked. So in essence, one just has to keep this one authorization within the app and you're pretty much safe. |
Even though I authenticated the app correctly (it would seem) and entered the backup password without an error message, I get no results as Authenticator Tokens (Here are your authenticator tokens: ... crickets).
I'm using version 0.1.2 with the precompiled Windows version, unfortunately, the precompiled Linux binary as the same issue.
Can you provide any means for me to debug into this?
The text was updated successfully, but these errors were encountered: