1Password 2FA Not Working with AWS

I wonder if anyone else had this issue.

I’ve been using 1Password as my 2FA device. Usually, the six digit one time passcode gets inserted automatically. The only issue I have is that when I setup 2FA, the QRCode is on my iPhone and that’s my camera. I’ll either copy and paste the code in manually or have 1Password on my iPhone configure the entry while I pull the website on my Mac to configure 2FA for the website.

However, I’ve been unable to get this to work on AWS. I can get the manual code from the website to configure 2FA, but it doesn’t give me the rest of the configuration. Or I can snap a picture of the QR code, but the six digit code produced isn’t correct.

I finally used Google Authenticator. I was hoping to export the settings into 1Password, but you can’t export the settings into another 2FA authenticator.

Anyone else having this issue?

No, I have 1Password doing 2FA with AWS, though I set it up long enough ago that I don’t remember it being an issue.

In some 2FA apps and systems, you can copy the secret key to seed another system. In 1Password, you can see it in the URL if you edit the One-Time Password field. Apple also lets you copy the setup URL in its Passwords screens.

I set it up again with 1Password help and it worked. 1Password made sure to tell me they use the exact same algorithm as in Google Authenticator and the others. It should have always worked.

AWS is strange. You have to put in the first one time code, then wait 30 seconds for the next one.

When I setup Google Authenticator, it was fully with the intention to copy the 2FA URL from Google Authenticator to 1Password. You can’t. The best Google Authenticator would let me do is copy a QR code that would save all of my 2FA keys to copy into another Google Authenticator.

Yeah, Google Authenticator is pretty lousy. At least they made it so you don’t lose all your setup if you get a new phone. But it’s still one of the weaker 2FA apps.

I just want to get my stuff off of it before it got canceled with all the other Google apps.

That’s strange. The QR code, if you decode it, is an industry standard URL, just like the ones you get from web sites. The only difference is that it contains data for multiple keys instead of just one.

Maybe 1Password doesn’t like multi-key QR codes. What happens if you use Authenticator to export only one key at a time?

Correction: It turns out that when exporting, Authenticator uses a completely different URL scheme. But when searching for information, I found a GitHub site with an open source (GPL licensed) application that can extract the seed data from these URLs.

Installation is going to be a bit of a slog through the Terminal. The author doesn’t want to pay Apple $100 for a developer license in order to be able to sign and notarize an installer package, so you’ve got to install and run it the hard way.

If you don’t want to trust someone else’s code and want to try it yourself, that site describes the URL. It’s a Base64-encoded block of data encoded using Google’s ProtoBuf format (the proto3 format). The ProtoBuf library is documented here:

I take it that the QR code was a URL to a data package that can be imported into Google Authenticator. It wasn’t even worth looking into it.

Google Authenticator is a pretty barebones app. The export functionality is actually new. Previously, if you replaced your phone, you’d lose all of your 2FA keys. There was no easy way to transfer them.

Fortunately, we got 1Password to work.