2FA sometimes does not work
I've noticed a few times where 1Password for Windows asks for the 2FA code and does not accept the correct code. Have seen this happen on both my work computer with 1Password for Teams/Business and on my personal home computer where I have a separate 1Password personal account. I don't mix the two so it is happening to two completely separate accounts on two different computers.
I am only reporting what I have experienced as I am eventually able to provide the 2FA code successfully.
1Password Version: Not Provided
Extension Version: Not Provided
OS Version: Not Provided
Sync Type: Not Provided
Comments
-
Most commonly this is trouble with your local time settings on your PC, @Cartman. TOTP, as you may well know, generates a code based upon your TOTP secret, your local machine time, and math. If the time is off, then it's not going to generate the right code. It also totally can behave in a manner where it works sometimes with the time off because a given code is good for a defined about of time, like 30 seconds. So if your time is off by less than 30 seconds, it will still work sometimes, it's just your window where it will work is smaller. Anyway, long story short(ish), next time you see this, try toggling all of the settings to automatically set your time in Windows settings, then toggle them back on. That will correct any time drift and, 9 times out of 10, correct any issues with TOTP. :+1:
0 -
Thank you @bundtkate.
Will verify that the time is accurate the next time this happens. I am fairly certain that the time is accurate since our corporate network synchronizes with time.gov, time.nist.gov, pool.ntp.org, etc. and my home computer is likely configured to sync with whatever the default internet time setting is for Windows 10 (probably time.windows.com). I use MFA frequently with other services and have only witnessed this behavior in 1Password for Windows.0 -
Thank you for the update. I have seen this issue with time settings very often in Windows, so if you could double-check those, it is likely that those will be the culprit.
A good resource that makes it easy to check this is the following website:
https://time.is/
After making sure the time is the same on every one of your devices, your authenticator codes should be accepted.
0 -
Think I may have found the scenario where it wont accept the correct code.
I have 1Password set to never lock automatically since I either lock Windows manually or it locks after 15 minutes of inactivity. I normally shutdown every evening but last night I was in the middle of some work so I left my computer running. This morning shortly after logging into Windows I was presented to enter the 2FA code. It would not accept the correct code after many repeated attempts. I verified that the time was correct using the website time.gov but it would not accept the correct 2FA code no matter what I did.
At this point I gave up and hit cancel to dismiss the 2FA prompt. A few seconds later it came back asking for the code again. This time it took it on the first try. Maybe the prompt that 1Password displays times out and will no longer accept the code until you cancel it and get presented with a new one.
Not certain if this is the case but I do know that it is not a time problem at this point.
0 -
I'm actually thinking it could be network in that case, @Cartman. Waking from sleep is generally quite troublesome on that front as Windows can take some time to get your network fully ready. If it's not ready, 1Password can't check that code with the server so it's just going to fall on its face. A few things if you see it again – check in the top right corner of your app by the X and see if you see a crossed out cloud icon there when this happens. Also, I'm a bit curious as to why you're being prompted for 2FA so often in the first place – I had assume you were signing in on the website, but your mention of autolock now makes me think it's the desktop app and your app should only prompt you for MFA on a new device you've never signed in before. I'm starting to think it may not ever be completing properly ...
0 -
Yes, sorry that I was not clear....this is happening with the Windows desktop app.
0 -
Oh, it's no problem at all, @Cartman. It was my fault for making an assumption in the first place. Certainly MFA issues on the website are more common, but the desktop app absolutely can and does misbehave at times and I should know better than to presume it's not.
Give it is the desktop app, though, that seems almost like it has to be network. Or, more precisely, something preventing a proper connection to the server fairly often. MFA is required only the very first time you sign in with a given device and under certain circumstances where you specifically trigger that requirement, like if you tell your PC to require MFA next time from the website. Once you've authorized and synced up for the first time, your encrypted data is already available locally on that device so MFA doesn't really provide much in the way of additional protection – the only thing it would do is prevent any changes from syncing to that device.
Anyway, that aside, I think it would be best to take a look at some diagnostics at this point. I suspect we might be chasing our tails a bit here and that the reality is that your codes have been fine the whole time and what's wrong is that you're having significant enough issues connecting to the server that auth is having trouble across the board. It's not that the codes are wrong, it's just failing often enough to be a giant fuss. To that end, I'd like to ask you to create a diagnostics report from your PC:
Sending Diagnostics Reports (Windows)
Attach the diagnostics to an email message addressed to
support+forum@agilebits.com
and include a link to this thread in case someone other than me is the one who sees them first. That way they'll have the benefit of the context of our discussion here.You should receive an automated reply from our BitBot assistant with a Support ID number. If you post that number here, that'll help us track the diagnostics down quicker so we can take a look as soon as possible. Once one of us has an opportunity to look them over and find some clues, we'll get back to you via e-mail with next steps. :+1: Thanks!
0