Need Help with 2 Factor Auth and Bitfloor [Bounty]

[INEEDHELP]

I needed to factory reset my phone and reinstall google authenticator. I have the secret key written down as well as printed as a QR code. I import into google authenticator and everything seems to have worked, but the OTP appears to be counter based and every time I reimport the key the count starts over. Bitfloor has not responded to an email sent last night about this issue.

[1715120333]

1715120333

[1715120333]

1715120333

[INEEDHELP]

Does the count on my phone need to match exactly with the server count? In the past I have refreshed it more than once before logging in. Does the count just need to be higher than the one used to generate the most recent OTP used to log in? In that case I could just keep hitting refresh until the count was high enough, correct?

[INEEDHELP]

Damn, I am missing out on some great spreads so I added a bounty.

0.2 bitcoins for someone who helps me get access today. 0.4 bitcoins if they can make it happen in the next hour.

[Mike Christ]

I'm sure you could remove your cell from the website and then add it again...maybe that'll reset the whole thing and make it work again?

[INEEDHELP]

I'm sure you could remove your cell from the website and then add it again...maybe that'll reset the whole thing and make it work again?

There is no option for this until you are logged in. Unless I missed it:
https://bitfloor.com/

I have tried resetting the password but it still wants the OTP. Usually Bitfloor is quick to respond to email but not on this issue, that is why I am wondering if there is a solution I can implement myself.

[Mike Christ]

Ohh okay I see!  You have to login, but you can't because you reset your phone, and that's where authy is failing.

That's scary.  You're locked out of your own account   Perhaps they could send you a text with a code--you're still using the same number?  Also, they usually have a system where if you lose your phone, you have another method of getting back in.  Did you see anything like that when you setup the 2FA?

[INEEDHELP]

Ohh okay I see!  You have to login, but you can't because you reset your phone, and that's where authy is failing.

That's scary.  You're locked out of your own account   Perhaps they could send you a text with a code--you're still using the same number?  Also, they usually have a system where if you lose your phone, you have another method of getting back in.  Did you see anything like that when you setup the 2FA?

Not that I remember, it was long ago. Before the hack and security redesign. As I said I have the secret, it is not lost. The information I do not have is the count. I had assumed that they were using time based OTPs but apparently not.

[INEEDHELP]

I am starting to think what I was supposed to have done is print out the current QR code, then log out, then reset my phone, then import from that QR code. I can see that the count is included in QR code, but it is from far in the past.

[notme]

1.  The counter just needs to be higher than the last counter that bifloor accepted.  If you generate enough new codes it should work.
2.  Roman (the biflooor dude) will remove the two-factor auth from your account if you ask, but he has been very slow to respond lately and will require some verification to make sure it is actually your account.

[INEEDHELP]

Ah thank you. Looks like alot of button pushing is in the works for me. I will get back to you and send the bounty once resolved.

[INEEDHELP]

1.  The counter just needs to be higher than the last counter that bifloor accepted.  If you generate enough new codes it should work.

Ok so I have gone through quite a few OTPs. I have no idea what the count was but I am starting to get to the point where it is unlikely I have used so many. How confident are you in this?

[notme]

1.  The counter just needs to be higher than the last counter that bifloor accepted.  If you generate enough new codes it should work.

Ok so I have gone through quite a few OTPs. I have no idea what the count was but I am starting to get to the point where it is unlikely I have used so many. How confident are you in this?

I was wrong: https://tools.ietf.org/html/rfc4226#section-7.2

Basically, there is a certain range of size n called the look-ahead window that is configurable on the server side.  If your counter number is not between the last successful counter c and c+n, it will not validate you.  Good luck with that.  If I were you, I'd try to get Roman to lift the 2 factor auth on your account.

[INEEDHELP]

1.  The counter just needs to be higher than the last counter that bifloor accepted.  If you generate enough new codes it should work.

Ok so I have gone through quite a few OTPs. I have no idea what the count was but I am starting to get to the point where it is unlikely I have used so many. How confident are you in this?

I was wrong: https://tools.ietf.org/html/rfc4226#section-7.2

Basically, there is a certain range of size n called the look-ahead window that is configurable on the server side.  If your counter number is not between the last successful counter c and c+n, it will not validate you.  Good luck with that.  If I were you, I'd try to get Roman to lift the 2 factor auth on your account.

This was resolved by Roman. The bounty criteria were not met but I'll send a small tip for the effort.