Page MenuHomePhabricator
Create Task
Maniphest T396951

FreeOTP refuses to add MediaWiki's 2FA details, because "token is unsafe"
Closed, ResolvedPublicBUG REPORT
Actions

Description

Steps to replicate the issue (include links if applicable):

  • Install FreeOTP on your phone (verified via an Android device)
  • From an OATH-enabled account, go to Special:OATHManage and enable TOTP-based 2FA
  • Scan the QR code on FreeOTP

What happens?:

FreeOTP claims that:

Token is unsafe!
The token you are attempting to add contains weak cryptographic parameters. Use of this token is strongly discouraged! Please alert your token provider.

What should have happened instead?:

FreeOTP adds the 2FA details and starts generating TOTPs.

Other information (browser name/version, screenshots, etc.):

I'd love to provide a screenshot, but FreeOTP's security policy prohibits me from taking one. The error message (verbatim) is provided above.

This is fairly important to fix on our side, as FreeOTP is high on the list of recommended apps in our official manual. This means users who are unfamiliar with TOTP apps are quite likely to land on FreeOTP specifically, and then be confused/discouraged by the warning they see.

Creating this ticket, as I was approached by @OJJ (a Czech Wikipedia checkuser) with a request for advice.

Details

Related Changes in Gerrit:
SubjectRepoBranchLines +/-
TOTPKey: Use 26 byte secret for increase securitymediawiki/extensions/OATHAuthREL1_39+2 -1
TOTPKey: Use 26 byte secret for increase securitymediawiki/extensions/OATHAuthREL1_43+2 -1
TOTPKey: Use 26 byte secret for increase securitymediawiki/extensions/OATHAuthREL1_44+2 -1
TOTPKey: Use 26 byte secret for increase securitymediawiki/extensions/OATHAuthREL1_42+2 -1
TOTPKey: Use 26 byte secret for increase securitymediawiki/extensions/OATHAuthmaster+2 -1
Customize query in gerrit

Related Objects
Search...

StatusSubtypeAssignedTask
Restricted Task
Restricted Task
 ResolvedBUG REPORTReedyT396951 FreeOTP refuses to add MediaWiki's 2FA details, because "token is unsafe"

Event Timeline

Urbanecm created this task.Jun 15 2025, 1:22 PM
Restricted Application added a subscriber: Aklapper. · View Herald TranscriptJun 15 2025, 1:22 PM
Urbanecm added a subscriber: EMill-WMF.Jun 15 2025, 1:23 PM

@EMill-WMF For your awareness. This causes issues with the mandatory 2FA rollout we're currently working on. Would you mind flagging this to the appropriate subteam, please?

Reedy added a project: Security.Jun 15 2025, 1:39 PM
Reedy subscribed.

See also: https://github.com/freeotp/freeotp-android/issues/287

https://github.com/freeotp/freeotp-android/issues/287#issuecomment-1404846857

It looks like freeOTP requires that tokens have at least 128bit (26 base32 coded digis). Otherwise it is considered unsecure.
It would be very helpful to show this hint. 80 bits (16 base32 digits) were accepted before and are still by the ios app.

gerritbot added a comment.Jun 15 2025, 1:41 PM

Change #1158541 had a related patch set uploaded (by Reedy; author: Reedy):

[mediawiki/extensions/OATHAuth@master] TOTPKey: Use 26 random bytes

https://gerrit.wikimedia.org/r/1158541

gerritbot added a project: Patch-For-Review.Jun 15 2025, 1:41 PM
Zabe subscribed.Jun 15 2025, 1:50 PM
A_smart_kitten subscribed.Jun 15 2025, 1:53 PM

Might be worth bearing this (September 2023) comment from another GitHub issue in mind — I don't know whether/to what extent it's still an issue, but it seemed worth flagging here just in case:

https://github.com/freeotp/freeotp-android/issues/334#issuecomment-1711954232:

👋 GitHub PM for Identity here. We use an 80 bit secret for compatibility with Google Authenticator, which had a bug for a very long time around longer secrets. It's unclear if they've since fixed it since it was abandonware for so long - now that they've updated it to support sync, maybe they fixed that too.

gerritbot added a comment.Jun 15 2025, 2:02 PM

Change #1158541 merged by jenkins-bot:

[mediawiki/extensions/OATHAuth@master] TOTPKey: Use 26 byte secret for increase security

https://gerrit.wikimedia.org/r/1158541

Maintenance_bot removed a project: Patch-For-Review.Jun 15 2025, 2:30 PM
gerritbot added a comment.Jun 15 2025, 2:32 PM

Change #1158585 had a related patch set uploaded (by Reedy; author: Reedy):

[mediawiki/extensions/OATHAuth@REL1_44] TOTPKey: Use 26 byte secret for increase security

https://gerrit.wikimedia.org/r/1158585

gerritbot added a project: Patch-For-Review.Jun 15 2025, 2:32 PM

Change #1158586 had a related patch set uploaded (by Reedy; author: Reedy):

[mediawiki/extensions/OATHAuth@REL1_43] TOTPKey: Use 26 byte secret for increase security

https://gerrit.wikimedia.org/r/1158586

gerritbot added a comment.Jun 15 2025, 2:33 PM

Change #1158587 had a related patch set uploaded (by Reedy; author: Reedy):

[mediawiki/extensions/OATHAuth@REL1_42] TOTPKey: Use 26 byte secret for increase security

https://gerrit.wikimedia.org/r/1158587

gerritbot added a comment.Jun 15 2025, 2:33 PM

Change #1158588 had a related patch set uploaded (by Reedy; author: Reedy):

[mediawiki/extensions/OATHAuth@REL1_39] TOTPKey: Use 26 byte secret for increase security

https://gerrit.wikimedia.org/r/1158588

gerritbot added a comment.Jun 15 2025, 2:45 PM

Change #1158587 merged by jenkins-bot:

[mediawiki/extensions/OATHAuth@REL1_42] TOTPKey: Use 26 byte secret for increase security

https://gerrit.wikimedia.org/r/1158587

gerritbot added a comment.Jun 15 2025, 2:46 PM

Change #1158585 merged by jenkins-bot:

[mediawiki/extensions/OATHAuth@REL1_44] TOTPKey: Use 26 byte secret for increase security

https://gerrit.wikimedia.org/r/1158585

gerritbot added a comment.Jun 15 2025, 2:50 PM

Change #1158586 merged by jenkins-bot:

[mediawiki/extensions/OATHAuth@REL1_43] TOTPKey: Use 26 byte secret for increase security

https://gerrit.wikimedia.org/r/1158586

ReleaseTaggerBot added a project: MW-1.45-notes (1.45.0-wmf.6; 2025-06-17).Jun 15 2025, 3:01 PM
Urbanecm added a comment.Jun 15 2025, 3:08 PM
In T396951#10915828, @A_smart_kitten wrote:

Might be worth bearing this (September 2023) comment from another GitHub issue in mind — I don't know whether/to what extent it's still an issue, but it seemed worth flagging here just in case:

https://github.com/freeotp/freeotp-android/issues/334#issuecomment-1711954232:

👋 GitHub PM for Identity here. We use an 80 bit secret for compatibility with Google Authenticator, which had a bug for a very long time around longer secrets. It's unclear if they've since fixed it since it was abandonware for so long - now that they've updated it to support sync, maybe they fixed that too.

I tested this locally (with the increased token length) and I can add the account to both FreeOTP and Google Authenticator.

Thanks @Reedy for fixing this so quickly!

Reedy added projects: MW-1.39-release, MW-1.42-release, MW-1.43-release, MW-1.44-release.Jun 15 2025, 3:12 PM
gerritbot added a comment.Jun 16 2025, 9:27 PM

Change #1158588 merged by Gergő Tisza:

[mediawiki/extensions/OATHAuth@REL1_39] TOTPKey: Use 26 byte secret for increase security

https://gerrit.wikimedia.org/r/1158588

Maintenance_bot removed a project: Patch-For-Review.Jun 16 2025, 9:30 PM
Reedy added a parent task: Restricted Task.Jun 24 2025, 8:35 PM
Reedy closed this task as Resolved.Jun 24 2025, 8:39 PM
Reedy claimed this task.
Reedy mentioned this in T401393: Unable to enroll in TOTP using Authy on iOS.Aug 7 2025, 1:58 PM
Reedy added a subscriber: gerritbot.Sep 17 2025, 1:37 PM
Reedy renamed this task from FreeOTP refuses to add Wikimedia's 2FA details, because "token is unsafe" to FreeOTP refuses to add MediaWiki's 2FA details, because "token is unsafe".Oct 1 2025, 8:59 PM
A_smart_kitten mentioned this in T408225: The Google Authenticator App does not consistently scan OATHAuth-generated QR codes for TOTP setup.Oct 24 2025, 8:11 PM
Content licensed under Creative Commons Attribution-ShareAlike (CC BY-SA) 4.0 unless otherwise noted; code licensed under GNU General Public License (GPL) 2.0 or later and other open source licenses. By using this site, you agree to the Terms of Use, Privacy Policy, and Code of Conduct. · Wikimedia Foundation · Privacy Policy · Code of Conduct · Terms of Use · Disclaimer · CC-BY-SA · GPL · Credits