Good day.
I would like to tell you about the problems of 2FA authentication on Android 4.4.2 KitKat devices and the solution that, in our case, ended the long search.
Some time ago, my colleagues and I decided to add Two-factor authentication (2FA for short) for our small office server based on Ubuntu Server.
2FA is an additional level of security and a nice addition to the existing authentication mechanism. In addition to the usual login + password pair from the user performing authorization, a digital key is required, which dynamically changes every 30 seconds and is generated by the device owned by the user. To generate the key, we used the Google authenticator application and an Android mobile phone. After one-time setup, the application generates codes that have a lifetime of 30 seconds, and the server generates exactly the same codes. During authentication, the codes are compared.
Since the data is not transferred from the server and is stored only on the device, this mechanism is more secure than sending confirmation codes (for example, like 3D-secure SMS confirmation in banking systems).
There were unexpectedly many step-by-step instructions about setting up a server on the network. Everything about them is very simple and intelligible. I was guided by this article. After setting up the server, we installed the Google Authenticator
application on the Lenovo p780 phone , “read” the QR code from the monitor with the phone and received the coveted numbers for authorization. Before rebooting SSH, do not forget to save backup keys to restore access . And now, everything is ready to use! We reboot SSH, go to the server, specify a password, after the password we are asked to provide a Verification code, copy it from the phone and... again asked to provide a password?!!! It looks like this:
At first they thought that there was an error in the settings, but after trying several mobile devices, it became obvious that the codes generated on Android 4.4.2 KitKat by the Google Authenticator application are always erroneous .
For a long time it seemed to me that it was recommended to use a different authenticator mechanism that needs to be installed on the server instead of Google, so I diligently looked for other solutions. I wanted to make Google authenticator work, but in fact they recommend using another application for Android, and the server part remains unchanged. FreeOTP Authenticator
application from Red Hat. After setting up using the same QR code, everything started working without the need to adjust anything.
Unfortunately, I cannot tell you the reason for the error in the Google authenticator application, but I hope that my sad experience will help save someone else’s time.
I will be glad to see your comments! Thank you for your attention.
I would like to tell you about the problems of 2FA authentication on Android 4.4.2 KitKat devices and the solution that, in our case, ended the long search.
Some time ago, my colleagues and I decided to add Two-factor authentication (2FA for short) for our small office server based on Ubuntu Server.
2FA is an additional level of security and a nice addition to the existing authentication mechanism. In addition to the usual login + password pair from the user performing authorization, a digital key is required, which dynamically changes every 30 seconds and is generated by the device owned by the user. To generate the key, we used the Google authenticator application and an Android mobile phone. After one-time setup, the application generates codes that have a lifetime of 30 seconds, and the server generates exactly the same codes. During authentication, the codes are compared.
Since the data is not transferred from the server and is stored only on the device, this mechanism is more secure than sending confirmation codes (for example, like 3D-secure SMS confirmation in banking systems).
There were unexpectedly many step-by-step instructions about setting up a server on the network. Everything about them is very simple and intelligible. I was guided by this article. After setting up the server, we installed the Google Authenticator
application on the Lenovo p780 phone , “read” the QR code from the monitor with the phone and received the coveted numbers for authorization. Before rebooting SSH, do not forget to save backup keys to restore access . And now, everything is ready to use! We reboot SSH, go to the server, specify a password, after the password we are asked to provide a Verification code, copy it from the phone and... again asked to provide a password?!!! It looks like this:
At first they thought that there was an error in the settings, but after trying several mobile devices, it became obvious that the codes generated on Android 4.4.2 KitKat by the Google Authenticator application are always erroneous .
“Solutions” that were found and their results:
- If you roll back the Android version, it starts working correctly. (we worked with this “solution” for some time, but decided to move on)
- Since the problem comes down to incorrect time zones, many solutions are aimed specifically at correcting them. The TimeZone Fixer application can really help with this problem, however, some applications after using it begin to display the wrong time and will need to be fixed manually. (the solution has its disadvantages and risks. All information about the application is available on the 4pda website.
- Adjust the time manually. To be honest, this method never worked for us. Change the clock manually and thereby synchronize the time on the phone and the server. Alas, all attempts yielded nothing, although there were people who claimed that it worked for them. In any case, the prospect of losing the clock function on your phone is not the most pleasant...
- Synchronizing watches inside the settings of the Google authenticator application (in our case, no results, but there were comments that helped someone)
The final solution to the problem: FreeOTP
While searching for a solution on the Internet, I already came across GitHub of the Google Authenticator application , our bug tracking contains ours, and the following was proposed as a solution:For a long time it seemed to me that it was recommended to use a different authenticator mechanism that needs to be installed on the server instead of Google, so I diligently looked for other solutions. I wanted to make Google authenticator work, but in fact they recommend using another application for Android, and the server part remains unchanged. FreeOTP Authenticator
application from Red Hat. After setting up using the same QR code, everything started working without the need to adjust anything.
Unfortunately, I cannot tell you the reason for the error in the Google authenticator application, but I hope that my sad experience will help save someone else’s time.
I will be glad to see your comments! Thank you for your attention.
