TOTP-library gives wrong 6-digit OTP-codes

Projects Programming
1

Hi everybody,

I'm trying to use the TOTP-library written by lucadentella.
OTP = One Time Password

I used the provided demo-code for an ESP32

// TOTP DEMO, v1.0
//
// Requires a WiFi-capable board (for example esp32)
// and NTPClient library: https://github.com/arduino-libraries/NTPClient
//
// Change the wifi settings and enter your hmacKey
//
// To generate the hmacKey and initialize the smartphone app
// you can use my tool: http://www.lucadentella.it/OTP
//
// Tested with Arduino 1.8.12, NTPClient 3.2.0 and esp32 1.0.4


#include <WiFi.h>
#include <NTPClient.h>
#include <TOTP.h>

// change the following settings according to your WiFi network
char ssid[] = "mySSID";
char password[] = "myPASSWORD";

// enter your hmacKey (10 digits)
uint8_t hmacKey[] = {0x73, 0x65, 0x63, 0x72, 0x65, 0x74, 0x6b, 0x65, 0x79, 0x30};

WiFiUDP ntpUDP;
NTPClient timeClient(ntpUDP);
TOTP totp = TOTP(hmacKey, 10);

String totpCode = String("");

void setup() {

  Serial.begin(9600);
  while (!Serial);

  Serial.println("TOTP demo");
  Serial.println();
  
  // connect to the WiFi network
  WiFi.begin(ssid, password);
  while (WiFi.status() != WL_CONNECTED) {
    delay(1000);
    Serial.println("Establishing connection to WiFi...");
  }
  Serial.print("Connected to WiFi with IP: ");
  Serial.println(WiFi.localIP());
  Serial.println();

  // start the NTP client
  timeClient.begin();
  Serial.println("NTP client started");
  Serial.println();
}

void loop() {

  // update the time 
  timeClient.update();

  // generate the TOTP code and, if different from the previous one, print to screen
  String newCode = String(totp.getCode(timeClient.getEpochTime()));
  if(totpCode!= newCode) {
    totpCode = String(newCode);
    Serial.print("TOTP code: ");
    Serial.println(newCode);
  }
}

entered my WiFi-creadentials and a secret.
I compared the created 6-digit OTP with the 6-digit OTP created by WinAuth

If I use WinAuth the created 6-digit OTP works If I enter it into the real Web-application = The WinAuth-6digit OTP is accepted.

But the 6-digit OTP of the Arduino-Code is different.

As all this is time-related is it possible that using the demo-code like posted above does use a different time?

To narrow down this problem:
Does anybody know of a different OTP-tool or android OTP-app or some kind of a test-website that shows the time that is used to create the 6-digit-OTP?

best regards Stefan

2

You should check the return code of timeClient.update(). If the current time cannot be fetched the OTP library will put out a wrong password.

3

This topic was automatically closed 120 days after the last reply. New replies are no longer allowed.