It’s Cybersecurity Awareness Month! Join our interactive training session, or learn about security and AI from 1Password experts.
Forum Discussion
TOTP URI 'period' parameter is ignored if value is above 255
Hi. I am a long time 1Password user. I recently set up a new service that uses TOTPs.
The problem I am having is that the codes needed for this service are synchronized with a period of 300 seconds (5 minutes).
But when the URI is inputted into the TOTP field in 1Password the generated codes have a period of 30 seconds.
I have tried changing the values of the period to test the problem and have found that codes are generated with the correct period only for period values under 256. Any period value above that is ignored and defaulted to 30 seconds. (Without showing any error or warning).
I am opening this discussion to report this as a bug, as other services (such as Apple Passwords app) accept the 300 seconds period and generate the correct codes. 1Password should to be able to generate TOTPs with periods longer than 255.
Thanks.
1Password Version: 1Password for Mac 8.10.56 (81056028)
Extension Version: 8.10.56.28
OS Version: macOS 15.2
Browser: Safari
11 Replies
I'd also like to add that the RFC specifies:
> R4: The prover and verifier MUST use the same time-step value X.
In this case X is coming from the TOTP URI.- 1P_Dave
Moderator
Thank you for the feedback! I've passed your comments along to the team.
-Dave
- 1P_Dave
Thanks again for reporting this! 🙂
-Dave
Hi 1P_Dave!
Thank you for your answer and your testing.
I need to use that period because the service I am connecting to uses TOTPs with a period of 300 seconds. It is something the service sets on their end, so** it's not something that I can change on my own*. I agree it's more common to have 30s but in this case **they have chosen to use 5 minutes* as their TOTP period.
The way it fails silently on 1Password after 255 and that being exactly 8 bytes it seemed to me that it's a bug. But that's only a guess.
Thanks for your help.
José MarÃa
- 1P_Dave
Hello jmml97! 👋
Thank you for reaching out! I'm done some testing and I can confirm that 255 is the current maximum period for time-based one-time passwords (TOTP) in 1Password.
While I can't make any promises, I'm happy to file a feature request with the team on your behalf to look into raising this limit if possible. Can you tell me a little more about the use case for needing such long periods? Most TOTPs default to 30 seconds. Knowing more about the need to a change like this will help our product team prioritize the request.
-Dave
ref: dev/core/core#39
I apologize for not following up on this question sooner.
I have tested it, and the issue remains unresolved.
I need this because the TOTP period for the service I use is set by my company. They chose a 300-second period. I don’t know why, but I cannot change it. If they did, all users would need to update their TOTP generators with the new period.
Apple Passwords generates codes correctly with the 300-second period. However, it’s inconvenient to use two password managers just for this.
Thank you for your time and help. Have a nice day.
