Make compatible with Yahoo TOTP

[mariusft]

Describe the bug

Trying to enable Yahoo 2FA and apparently is not compatible

To Reproduce

Steps to reproduce the behavior:

1. Go to 'Yahoo 2FA'
2. Click on 'Authenticator app'
3. Click Continue
4. Scan QR Code/Enter Setup Key manually (tried with QR generated URL and manual key same behaviour)
5. Enter generated 2FA code
6. See error "Incorrect Verification Code"

Expected behavior

Should proceed further with code verification/confirmation

KeePassDX:

• Version: 4.0.5
• Build: Free
• Language: English

Android:

• Device: S10

[cbiere]

Maybe Yahoo is just broken by design. Tried to register an account for testing and it kept failing after the captcha stage. I don't use Tor or VPN, for what it's worth. Rarely do I have such a terrible user experience as with Yahoo.

[melak]

It has got to be Yahoo. The Key URI looks OK, but either scanning the QR code or specifying the key directly does not work in FreeOTP+, Google Authenticator, Microsoft Authenticator, oath-toolkit or Authen::OATH, either with the defaults (SHA1 / 30s window) or any combination of SHA1/SHA256/SHA512 and 30s/60s, in Firefox or Palemoon or Chromium, from several networks, with various combinations of and complete omission of ad blockers and/or DNS filters.
I will be really curious to see what the solution to this problem ends up being.

[melak]

Per https://help.yahoo.com/kb/SLN5013.html:

Next to "2-Step Verification," click Turn on.

Click Get started. Select Authenticator app for your 2-step verification method. - To see this option, you'll need to have at least 2 recovery methods on your account.

Click Continue.

Scan the QR code using your authenticator app.

Click Continue.

Enter the code shown in your authenticator app.

Click Done.

This does not actually seem to be true. Even if you don't have the at least two recovery options configured, you are apparently able to get to this point, but then the codes never verify.

I however did not verify the opposite, i.e. whether once you have two recovery options enabled the codes suddenly start verifying correctly, chiefly because once you get to the point of adding an email or phone recovery option,

By clicking "Add", additionally your email and mobile no. will be used to offer you relevant features, content and advertising as set forth in our Privacy Policy. We will not send direct marketing communications to your phone or email based on this consent.
[...]
Your contact information (like email or phone number) is being used (but not shared by us) to show you deals or reminders from businesses.

If anyone wants to verify this, I'll be curious about the results.

[mariusft]

To see this option, you'll need to have at least 2 recovery methods on your account.

This is kind-off new, their 2FA errors are crap, you need 2 recovery methods and 2FA will work but not immediately, you'll need to wait couple of minutes.

Tested with Google Authenticator and KeePassDX

In order to delete one of the recovery methods you need to disable 2FA by Authenticator app.

So this probably can be closed since is 3rd party related, not sure if a hint can be implemented for this kind of situations on
KeePassDX

[melak]

Thanks for verifying. So basically what this means in plain English is Yahoo letting you use the at this point probably most fundamental and easily accessible second factor option is contingent on you letting Yahoo and partners use not one but at least two pieces of your personally identifiable information for their tracking and advertisement purposes.

It is of course Yahoo's prerogative to do so I suppose (although IANAL), all I'm saying is this is what the situation seems to actually mean, and then everyone draw their conclusions if they so please.