Hacker News new | ask | show | jobs
iOS 9 Time bug breaking two factor authentication
7 points by jpp123 3915 days ago
The iOS 9 clock issue previously discussed (see https://news.ycombinator.com/item?id=10262244) is a lot worse than originally indicated.

Our devops team are seeing users who can no longer authenticate using 2FA code generators because their phones are off by over 30 seconds. The offset seems fairly random - a quick poll in our office shows that it appears to only impact iOS9. Mine is off 3.7 seconds. The biggest offset I've seen is 41 seconds.

Reboots, setting manually and the n going back to auto etc don't fid it.

You can check your offset at http://time.is or by downloading the free Emerald Time ntp app.

Any suggestions for a workaround greatly appriciated.
4 comments
Someone1234 3915 days ago
Sounds like you need to contact the vendor that supplies your 2FA since it is misconfigured/incorrectly implemented.

I've seen this before with people who try to roll their own Google Authenticator/TOTP implementation.

What they do is they read the standard, note the 30 second default step size, and entirely ignore the window. If you look at Google Authenticator while the steps are 30 seconds, the window is +1 or -1, so you can enter three different valid codes at any one time (for three different steps: 0, +30, -30).

But don't take my word for it, Google has Authenicator source code available here:

https://github.com/google/google-authenticator/blob/master/l...

Look at "window" or "window_size" options. To quote Google's own comment:

> By default, tokens are good for 30 seconds and in order to compensate for possible time-skew between the client and the server, we allow an extra token before and after the current time. If you experience problems with poor time synchronization, you can increase the window from its default size of 1:30min to about 4min. Do you want to do so

So as I said, your 2FA is incorrectly done.

link
jpp123 3915 days ago
I'm not going to publicly shame the vendor we use, but yes we've had words.
link
joezydeco 3914 days ago
So are you saying Google Authenticator will be useless when my clock is >60 seconds out of sync? Or do they record my last interaction and note the time delta from there?
link
jgeorge 3914 days ago
My iPhone clock is 2 minutes fast. My project is with network timing, so I'm acutely aware of clocks being off, and its driving me crazy.
link
jpp123 3914 days ago
9.0.2 fixes it - or buy an Apple watch because that appears to mitigate it (speculation the Apple QA team all have an Apple Watch :-)
link
jgeorge 3909 days ago
9.0.2 does indeed fix it. I don't have a watch; I almost electrocuted myself a number of years ago wearing a watch with a metal band, so I don't wear one anymore. :)
link
joezydeco 3914 days ago
My iOS9 device is now 30.5 seconds ahead of NTP and growing about 1.5 seconds per day.

Apple support seems to think this is my inability to turn on the "automatic time setting" feature. I wish this problem had more visibility.

link
jpp123 3914 days ago
9.0.2 fixes it
link
joezydeco 3914 days ago
Indeed it does. Thanks for the tip that 9.0.2 was out.
link