Skip to main content
January 13, 2025
Question

TOTP URI 'period' parameter is ignored if value is above 255

  • January 13, 2025
  • 6 replies
  • 291 views

Hi. I am a long time 1Password user. I recently set up a new service that uses TOTPs.

The problem I am having is that the codes needed for this service are synchronized with a period of 300 seconds (5 minutes).

But when the URI is inputted into the TOTP field in 1Password the generated codes have a period of 30 seconds.

I have tried changing the values of the period to test the problem and have found that codes are generated with the correct period only for period values under 256. Any period value above that is ignored and defaulted to 30 seconds. (Without showing any error or warning).

I am opening this discussion to report this as a bug, as other services (such as Apple Passwords app) accept the 300 seconds period and generate the correct codes. 1Password should to be able to generate TOTPs with periods longer than 255.

Thanks.


1Password Version: 1Password for Mac 8.10.56 (81056028)
Extension Version: 8.10.56.28
OS Version: macOS 15.2
Browser: Safari

6 replies

1P_Dave
1Password Employee
January 14, 2025

Hello @jmml97! 👋

Thank you for reaching out! I'm done some testing and I can confirm that 255 is the current maximum period for time-based one-time passwords (TOTP) in 1Password.

While I can't make any promises, I'm happy to file a feature request with the team on your behalf to look into raising this limit if possible. Can you tell me a little more about the use case for needing such long periods? Most TOTPs default to 30 seconds. Knowing more about the need to a change like this will help our product team prioritize the request.

-Dave

ref: dev/core/core#39

jmml97Author
May 7, 2025

I apologize for not following up on this question sooner.

I have tested it, and the issue remains unresolved.

I need this because the TOTP period for the service I use is set by my company. They chose a 300-second period. I don’t know why, but I cannot change it. If they did, all users would need to update their TOTP generators with the new period.

Apple Passwords generates codes correctly with the 300-second period. However, it’s inconvenient to use two password managers just for this.

Thank you for your time and help. Have a nice day.

1P_Dave
1Password Employee
May 7, 2025

@jmml97 

Thank you, I've shared your use case with the team and I'll also add your new comment to the feature request that I filed on your behalf.

-Dave

jmml97Author
January 14, 2025

Hi @1P_Dave!

Thank you for your answer and your testing.

I need to use that period because the service I am connecting to uses TOTPs with a period of 300 seconds. It is something the service sets on their end, so** it's not something that I can change on my own*. I agree it's more common to have 30s but in this case **they have chosen to use 5 minutes* as their TOTP period.

The way it fails silently on 1Password after 255 and that being exactly 8 bytes it seemed to me that it's a bug. But that's only a guess.

Thanks for your help.

José María

1P_Dave
1Password Employee
January 14, 2025

@jmml97

Thank you for that additional information. I've passed this along to the team internally.

-Dave

ref: dev/core/core#39
ref: PB-45544784

jmml97Author
January 14, 2025

@1P_Dave Thank you very much!

  • José María
1P_Dave
1Password Employee
January 15, 2025

Thanks again for reporting this! 🙂

-Dave

July 17, 2025

I'd also like to add that the RFC specifies:
>  R4: The prover and verifier MUST use the same time-step value X.

In this case X is coming from the TOTP URI.

1P_Dave
1Password Employee
July 22, 2025

Thank you for the feedback! I've passed your comments along to the team. 

-Dave