With 2FA enabled, 2FA code on other device is invalid

Resolved theprintedword
(@theprintedword)

4 years, 2 months ago

I enabled 2FA through the Wordfence plugin last December. Up until last week, I have logged into my WordPress admin area and using 2FA codes with no problems. I use a separate device to generate the TOTP code, then entering the code when prompted, on the 2FA screen after the username and password screen in WordPress.

On Sunday night, 04/03, I entered the 2FA code on my other device. I got an error that the code was invalid. I tried another time. I also tried closing the browser and then going back in. Nothing worked. I was able to get into the admin area using a recovery code.

I use the same TOTP generating app for 2FA enabled on my email addresses and have not encountered the same problem with logging into my email, so I know it’s not the app. My best guess is that it’s confined to WordPress and Wordfence. I searched this plugin’s forum here and I don’t see anyone else reporting a similar issue. Would you please help me troubleshoot this? Thank you.

Viewing 3 replies - 1 through 3 (of 3 total)

Plugin Support wfpeter
(@wfpeter)

4 years, 2 months ago

Hi @theprintedword, sorry to see you’ve had this trouble.

As you were able to successfully access the site with a recovery code, I don’t think we should necessarily be looking at plugin conflicts or similar Javascript errors at the front-end.

Could you check for me whether times still match and if there are any offsets at Wordfence > Tools > Diagnostics > Time. If there are discrepancies, you may need to speak with your host or server admin to have them corrected. Feel free to paste those values here and we’ll look into some other options if they seem consistent.

Thanks,

Peter.

Thread Starter theprintedword
(@theprintedword)

4 years, 2 months ago

Hi Peter, thank you for your reply.

This is at the bottom of the Login Security / 2FA page. Is the corrected time the problem, being off a second? Apologies for my lack of knowledge on this issue.

Server Time: 2022-04-08 01:10:31 UTC (2022-04-07 21:10:31 America/New_York)
Browser Time: Fri, 08 Apr 2022 01:10:31 GMT (Thu Apr 07 2022 21:10:31 GMT-0400 (Eastern Daylight Time))
Corrected Time (NTP): 2022-04-08 01:10:32 UTC (2022-04-07 21:10:32 America/New_York)

Plugin Support wfpeter
(@wfpeter)

4 years ago

Hi @theprintedword, thanks for clarifying the server times.

It seems to me that the server time, browser time and corrected time are all within 1 second, so 2FA shouldn’t have been experiencing problems enabling under these circumstances. As your recovery code worked, there also doesn’t seem to be an underlying issue with validating the 2FA on your site itself.

If you have been unable to resolve the issue, I would recommend signing in with a recovery code, then selecting Wordfence > Login Security > Settings > Delete Login Security tables and data on deactivation. After this, deactivate and re-activate Wordfence from the Installed Plugins page in WordPress. You will need to reconfigure 2FA by turning it back on and validating a new QR code on your device. This should at least re-sync it with your device, although I’m unable to find a reason why this may have happened initially. If there are other admin users, they will also need to set up their 2FA so it’d be worth setting a grace period from the Login Security screen.

Thanks again,

Peter.

Viewing 3 replies - 1 through 3 (of 3 total)

The topic ‘With 2FA enabled, 2FA code on other device is invalid’ is closed to new replies.

Tags