You mentioned passwords & MFA in the same place making you queasy, and you're not wrong. and for some reason our domain's time was always ~2 minutes behind! I updated the organization GPO to point to instead of our domain controller for time, and once that propagated, LastPass started showing the same codes as our phones. Then I had a teammate look at it with me, and he realized that the codes we'd seen on our phones were showing up on my computer minutes later! It should have been obvious, but since the TOTP codes are time-based, it runs on the assumption that your clock is correct.
Yesterday, there was another site I wanted to set up and when it was giving me the same issue, I spent some time on it and figured out the issue! I went down the path to trying to see if there were different standards / methods used by different TOTP apps and found the RFC you mentioned above. Thanks for this response! I know it's been a really long time, but I've just dealt with passing codes to my team from my phone for the site discussed in this post. One breach and the bad guys have the whole enchilada. I wouldn't be surprised if it's a LastPass bug.Īlso FWIW, as I'm paranoid, having the password and the MFA rolled up in one app makes me a bit queasy. Yep, TOTP used by Google, MS, Authy and friends is based on RFC 6238.įWIW, I've found LastPass tends to be flaky.
0 kommentar(er)
