What is expected?
The code is accepted by the service and 2FA enabled
What does happen instead?
Every service gives a similar error message: "Invalid code" or, in GitHub's case, "Two-factor code verification failed. Please try again."
https://pastebin.com/d3VPLBZq
Captured on Linux with adb logcat | grep -i "org.shadowice.flocke.andotp"
I have also already manually setting my timezone and time on both the phone and the computer to no avail. I have also looked at #269
This seems strange, I can't really detect anything wrong in the logcat at first glance. But I will have to look again on Monday when I am back at home, it's kind of hard to read on my phones screen.
I think it might be related to my device since it's very old by now, but figured I'd post here just in case someone else has the same problem in the future.
I am having a similar issue with the Firefox codes, it doesn't accept the code during the 30 secs the code is valid in andOTP, but it does accept if the code is used after the interval. Every other code from any other site/app works normally.
This is really strange, especially since I can't find any problem in the logcat.
I will remove 2FA from my Github account and re-enable it to see if anything changed.
Can it be related to the timezone, perhaps? Is there any more info we can provide to help with the debugging?
It shouldn't be, TOTP tokens are calculated based on UTC times. So as long as the time and timezone set on your phone are both correct it should work.
I'm seeing the same thing. I just installed andOTP from the Google Play store this week. Tonight I tried to add andOTP as a second authenticator for Toodledo.com and the codes are wrong. If I wait for the timer to expire on andOTP and then enter the code, it's accepted. So it seems that andOTP is on the wrong time interval.
Could we have andOTP use NTP? This should help, this issue intermittently affects me as well as the Network Provider doesn't set the right time in certain cell zones.
I don't think NTP is the problem for this issue. I've the correct time on my phone. The codes just appear to be for the next interval rather than the current interval.
I can't seem to reproduce this issue on my device. After adding 2FA again for my Github account everything works as expected. I will look into using NTP directly instead of the system time since this is the only reason I can see for this to happen.
@jpschewe Does the code start working exactly when the timer expires? I don't believe that andOTP is on the wrong interval as it basically uses the reference TOTP implementation for Java and I didn't change anything in the code but I will have a look again.
@flocke when I tested it with toodledo I entered the code right after the timer expired and that worked. So it does seem to be very close. I just tried Toodledo and a couple of other sites this morning and they all worked. So maybe Toodledo has an intermittent problem on their end.
I have the same issue in gmail in two different accounts. I was trying to transfer the entries from google authenticator to andotp and the very first code while trying to register the new app failed ('wrong code. try again'). I had to add and remove the new entry and scan a qr 4-5 times and then it worked. After that I tried it with my other gmail account and it also gave the wrong code error in registering. After 3 tries it accepted. I further tested logging in but I did not encounter any errors during logging in with registered otp entries.
edit: same issue with github as well.
Maybe it is related to the Android version.
GitHub with v0.6.1 and Android 9 is working for me without problems.
Could be. I have andotp 0.6.1 and note 8 with factory android v8.0.0. Even though adding the sites was problematic, the codes generated afterwards seem to work fine after they are added.
I also have no problems with 2FA at GitHub (I have andOTP 0.6.1 and stock Android 8.1).
@jpschewe This may be an issue with toodledo. It is standard practice¹ to accept codes that are slightly in the past and slightly in the future, but it seems like they aren't doing that.
1: RFC 5238, section 5.2 and section 6
Hi, so I finally managed to get a new phone with Android 7. I just tested andOTP and it works fine.
I suddenly have this as well. Tried different services (i.e. Firefox & Jira) and the codes are suddenly not accepted.
I'm having current Android 9 on a Samsung S9.
@flocke is there anything I could try for helping debugging this issue?
Do you have some kind of "debugging service" that logs when which token should be valid (so that someone can see a possible offset)?
@antifarben I will have to take a look, from the top of my head I don't know any service that could do that.
One of the things on my todo list is a function to get an offset from a NTP server that andOTP can use to calculate the correct time.
This recently began for me with version 0.6.2 on Android 8.1.0. I first experienced the problem on Zoho a couple of days ago and just now with Stripe. That led me to Google the problem and then here. I had a go at entering the previous code on Stripe immediately after a refresh (as mentioned above) and that got me through after several previous attempts had failed. Let me know if there is any more information I can provide or testing I can perform.
It's not an issue for me anymore. I disabled the GSM time sync in my system settings once and this seem to lead to that error.
@jsmcgraw are you sure that the time of your device is synced correctly?
It would still be helpful to have a debug-page or so. The page could generate codes and it could say something like 'submit the code in the moment the code changes to another one'.
Then it just would have to compare the code offset with the point in time and we would know how much the current phone offset is.
Same problem, can't generate code for Firefox Account. Android 8, andOTP from Play Store, I can give you informations needed to help.
Same problem, can't generate code for Firefox Account. Android 8, andOTP from Play Store, I can give you informations needed to help.
Did you make sure that your device is synced correctly?
It depends on the phone you have but you can check it in the Settings > General management > Date and time > Automatic date and time
It is obviously important that Automatic date and time is activated.
You won't be able to use time based OTP codes if your mobile phone is using a different time than the server.
@jsmcgraw are you sure that the time of your device is synced correctly?
I sync via GPS only (I do not have a network provider) and cycling my GPS radio on/off resolved. Doing so weekly seems to do the trick.
Surprisingly @antifarben it was not set as you described, thank you :) It work fine now.
@flocke I'm not sure what would be realistic but it would be nice to have
Automatic date and time is turned off (this warning should be configurable and I don't know whether this setting is readable anyway)True Time to compare the time with the device time. Print a warning if differs more than 30 seconds or so. This warning should be configurable as well in case the user knows what (s)he is doing.True Time. Should be decidable by the user as well.I just got bitten by this with v0.7.0; it turns out my phone had somehow got 'automatic date and time' turned off.
I only figured it out because the token rollover time wasn't consistent with what oathtool would generate, and previously-working keys no longer worked.
Phone died, recovered codes from backup. Spent hours trying to figure out why codes being generated weren't working. Laptop is isolated and locked down.. which also means no ntp. No ntp, no timesync.
Literally spent 3 hours trying to install otpclient. Modified python scripts, etc. Insert whole other rant wrt 2FA itself though.
It's not the fault of andOTP, though.
Although _maybe_ it's possible to read out the Android setting for activated NTP and show a warning if it's not activated.
This way it would be more obvious for users to see whether or what's wrong.
What do you think of that @flocke?
Yeah, that is something I am planing to do. I just need to read up a bit and see if there is an easy way to figure out if the automatic time settings are turned on in Android from within an app. But I currently don't have a lot of time to work on andOTP, so if someone else wants to look into this feel free to do so and open a PR afterwards.
My 6 digit codes stopped working on Github today (S9+). I used a recovery code to get in, re-scanned a new QR with andOTP, tried to validate it, no go, ever after waiting for the code to cycle. Sorry but I'm probably going to have to drop this product for now.
I've had issues in the past with Google Authenticator like this before, but it has a 'time correction' setting that puts all the codes back in sync and usually fixes everything, I don't see any option like that here.
I don't see any option like that here.
No, because your phone should have a _global_ setting for Automatic date and time anyway in the operating system.
Did you check my comment from August?
I have the exact same issue as OP.
Here is my bug report :
What is expected?
Same as OP :
The code is accepted by the service and 2FA enabled
What does happen instead?
Same as OP :
Every service gives a similar error message: "Invalid code" or, in GitHub's case, "Two-factor code verification failed. Please try again."
https://paste.brols.eu/?0859c933c26a8e20#At5MeDCy9GenNMqey3JfTc4ou1J8npnwKfBANLJQwQ9d
Same as OP :
- Create a new (or reuse an existing) account with services that offer 2FA TOTP
- Scan the QR code or manually input the secret
- Use the code provided by andOTP to enable 2FA
I checked that the Automatic date and time parameter was on and that the timezone was automatically selected. The problem still occurs.
One thing that OP and me had in common is the Android version. We were both using Android 4.4.2.
After I read to the issue and I did had the same issue with a different App in the past here are some hints how to debug the error:
My theory is that the error occurs because the date and time of your android device is out of sync. If the server implements the recommendations of the RFC it accepts the pin of the current time and the two pins in the past. This means the time of your android device must have a clock drift which is between -89 and 0 seconds.
The best way is to have a reliable external time source e.g. a cheap radio-controlled clock or a computer which is synced by ntp. To check the time of your android device against the reliable external time source there is the yellow bar at the top of the andOTP App. It shrinks to the left and disappears at 30 and at 60 seconds of the minute. The hour and minute you can get form the clock next to the battery level. Do not forget to also check the date.
The most common reason is that your wireless network operator is sending an inaccurate time information via the cellular network. To check this theory remove the SIM card from your device, reboot it and connect it to WI-FI. After a few seconds Android syncs the time via ntp. The clock drift then should be gone. Check the clock again with the external time source. Also the Pins generated by andOTP then should be accepted.
Android gives the time information from the cellular network a higher priority then ntp or dose not even use ntp if the time information is provided by the cellular network. This behavior might has been changed in newer Android versions. The clock drift therefore exists again after you put the SIM card back in to the device. If so contact your wireless network operator to check if they can do something about it.
If your device syncs the time via GSM this will not work. The Network Identity and Time Zone (NITZ) extension of GSM has an accuracy of plus minus 1 minute. So the chance is about 50% that your device is “out of sync” for the totp server. As @antifarben said then the best is to disable GSM time sync.
@ckleemann Thank you very much for your extensive answer !
First, I forgot to say that with the app FreeOTP, the TOTP codes are accepted by the remote server.
So I did your test for andOTP and I can affirm that the clock is synced to the correct time while the smartphone is connected or not to the cellular network.
In both cases, I carefully checked that the date and the TZ were correct. Then I opened andOTP and each time the yellow bar disappeared, I launched the command ntpdate -q pool.ntp.org to verify that the clock was correct and accurate to the second (with an error rate of ~ 1-3 seconds).
Same problem, can't generate code for Firefox Account. Android 8, andOTP from Play Store, I can give you informations needed to help.
Did you make sure that your device is synced correctly?
It depends on the phone you have but you can check it in the
Settings>General management>Date and time>Automatic date and timeIt is obviously important that
Automatic date and timeis activated.You won't be able to use time based OTP codes if your mobile phone is using a different time than the server.
Thanks a lot bud! that solved my problem!
Most helpful comment
Did you make sure that your device is synced correctly?
It depends on the phone you have but you can check it in the
Settings>General management>Date and time>Automatic date and timeIt is obviously important that
Automatic date and timeis activated.You won't be able to use time based OTP codes if your mobile phone is using a different time than the server.