I set up my pobox.com account set up with two-factor authentication through my Yubikey, so logging in requires my user ID, password, and a Time-based One-time Password generated through the Yubikey Authenticator program. A few weeks ago, pobox occasionally rejected the TOTP and it eventually became a hard failure. Oddly, other sites I’ve set up with TOTP 2FA continued to work fine.
My initial trouble report:
The last couple of times I’ve tried to sign in, the usual TOTP copy-n-paste from my Yubikey authenticator has failed.
Up to that point, it worked flawlessly.
Manually typing the TOTP also fails.
I have reset my (complex!) password to no avail; I use Firefox’s password manager to fill it in.
I do have a set of lockout codes, but they’re a solution to a different problem.
Given the constant updates to Firefox (102.0.3), it’s almost certain the hole is in my end of the boat. I have disabled all the usual ad blocking for pobox.com, although there may be other domains I’ve overlooked.
Other than that, my email seems to be working just fine …
Any suggestions on how to proceed? (Obviously, I’m not going to be able to sign on to look at the ticket.)
This is the fastest I’ve ever reached Tier 2:
We’re happy to help you with this. I’ve escalated your ticket to our Tier 2 agents, as they are best suited to assist with this issue.
There is nothing like a good new problem to take your mind off all your old problems:
I’ve had a chat with our Tier 2 agents about this and they’ve suggested I escalate it to our developers to have a look at.
I am afraid to say that our developers were unable to find any clear reason as to why your Yubikey failed.
Yubikey devices verify by connecting with Yubikey’s server, and it is possible that this connection failed.
Can you please try using the Yubikey again to see if the issue is still occurring?
If it’s still failing, can you please try adding a new Yubikey device to see if it works?
Of course, the problem didn’t magically Go Away, but I did more experimentation and figured out where the hole was in my end of the boat:
Ah-HA! It’s a PEBKAC error!
For unknown reasons, this PC was not set for automatic NTP time updates(*). Its time had drifted (presumably since I installed it back in June 2021) and was now 58 seconds behind real time, exceeding pobox’s tolerance.
Other websites apparently allow a few more seconds of slop before disallowing a TOTP, so I had not yet run afoul of their limit.
Some lesser-used sites threw me out, however, but I had not looked beyond the most common sites.
The default TOTP interval is 30 seconds, so perhaps pobox allows only ±1 interval and the other sites allow ±2? Frankly, I think pobox has it right: everybody else prioritizes customer sat over security.
Got the clock set correctly and, gosh, TOTP works fine.
Mark it solved, but definitely add “Soooo, is your PC’s clock set for automatic updates?” to the debugging protocol.
(*) I’ve installed all of the boxen here and would not ever have picked “Yeah, sure, I want to dink with the clock.”
The solution looks like this:
Which was unchecked on this PC.
Of course, systemd has long since subsumed NTP, making everything I thought I once knew obsolete: now it’s handled by timesyncd.
How you make sure time synchronization is enabled goes like this:
$ systemctl status systemd-timesyncd.service ● systemd-timesyncd.service - Network Time Synchronization Loaded: loaded (/usr/lib/systemd/system/systemd-timesyncd.service; enabled; preset: enabled) Active: active (running) since Thu 2022-08-25 06:49:31 EDT; 10h ago Docs: man:systemd-timesyncd.service(8) Main PID: 355 (systemd-timesyn) Status: "Contacted time server 220.127.116.11:123 (2.manjaro.pool.ntp.org)." Tasks: 2 (limit: 19063) Memory: 2.2M CPU: 188ms CGroup: /system.slice/systemd-timesyncd.service └─355 /usr/lib/systemd/systemd-timesyncd Aug 25 06:49:31 shiitake systemd: Starting Network Time Synchronization... Aug 25 06:49:31 shiitake systemd: Started Network Time Synchronization. Aug 25 06:50:12 shiitake systemd-timesyncd: Timed out waiting for reply from 18.104.22.168:123 (2.manjaro.pool.ntp.org). Aug 25 06:50:12 shiitake systemd-timesyncd: Contacted time server 22.214.171.124:123 (2.manjaro.pool.ntp.org). Aug 25 06:50:12 shiitake systemd-timesyncd: Initial clock synchronization to Thu 2022-08-25 06:50:12.850444 EDT.
If it’s enabled and running, then it’s all good.
Whereupon all my TOTP passwords began working again.
I checked two other Manjaro systems: one had auto updates enabled, one didn’t. I have no explanation.
3 thoughts on “Manjaro Linux: TOTP PSA”
Thank you for the tip. You’re the reason I found pobox.com 25 years ago and have been using it ever since. Now you’ve shown me that they have 2FA, so I’ve enabled it myself.
If you’re running a desktop email client, set up an app-specific password to allow access without 2FA specifically for sending/receiving SMTP/IMAP email. The 2FA then applies to manual account management stuff through their web interface.
Slackware doesn’t use systemd, but I’m using js8call, and accurate time is a major plus. Thus, every hour I run a script:
sntp -Ss -M128 pool.ntp.org
Assuming I can trust a geosynchronous sat-link, I can get within 25-50 ms of correct time.
Comments are closed.