TOTP Doesn't Work on Amazon.com Key

[ajgrf]

Summary

gopass totp amazon.com fails even though it works with all of my other accounts. The error given is Error: No OTP entry found for amazon.com: illegal base32 data at input byte 48, as though something is wrong with the key even though there isn't. My current workaround is to run oathtool --totp=sha1 --base32 $(gopass amazon.com totp).

The key does seem to be a different size than my other accounts, which may be causing the issue. When base32-encoded it is 52 characters long.

Steps To Reproduce

1. Set up 2FA on Amazon.com
2. Store TOTP key in gopass
3. Run gopass totp amazon.com

Expected behavior

It should give me a 6 digit totp pin.

Environment

• OS: Debian 9
• OS version: Linux hostname 4.17.0-0.bpo.3-amd64 Add template feature #1 SMP Debian 4.17.17-1~bpo9+1 (2018-08-27) x86_64 GNU/Linux
• gopass Version: gopass 1.8.2-git+HEAD go1.11 linux amd64
• Installation method: go get

[ajgrf]

I was able to get this working by converting the "totp:" key-value pair to an otpauth URI. There may still be a bug here because I didn't have a problem with any other key, and I don't think it was user error.

[colemickens]

@ajgrf Have you tried making sure the URL doesn't have anything after secret=VAL, no &issuer... etc?

(And possibly only has the secret parameter?)

I'm seeing really weird behavior too.

[ajgrf]

Yes, before I converted it to an otpauth:// URL, it was a totp: key-value pair with just the key. All caps, no spaces, no other leading or trailing characters (other than a single space between the colon and key).

[nokernel]

From what I can understand, it looks like it's the yaml library that is not able to find they totp key in the "yaml" document.

It returns an empty document.

I am not done yet investigating.

When printing out the real error from the yaml library you get ~ Key not found error.

[nokernel]

I was able to make this work with 1.8.2 pre-built binary.

In the yaml format.

Edit your token for this format :

---
totp: yourtokenhere

The trick that made it work for me is the --- line on top

Then gopass totp amazon.com

[colemickens]

I think this issue was about getting WRONG codes, rather than no codes.

My issue with this wound up being that I was using a script to export OTPs from Authy and it was including extra query parameters in the otpauth:// URL that were causing invalid codes to be generated. It took me forever to figure this out. I wound up finding it via process of elimination.

[stale]

This issue has been automatically marked as stale because it has not had recent activity. It will be closed if no further activity occurs. Thank you for your contributions.

[NuLL3rr0r]

@ajgrf thanks converting "totp:" key-value pair to an otpauth URI worked for me. I have the same issue on gopass 1.9.2.

[fi0]

Confirming the otpauth URI workaround generates a correct code, and the totp: SECRET will generate a wrong code.
gopass 1.10.1