"Can’t sign in. Too many requests. Try again later." 2FA won't work? Not sure what I did wrong.

mtwcaputo

Hi,

I recently added 1password to my Windows Desktop and Android phone (S7).

Everything was working well. I had 2FA authorization for new devices using either a Google Titan Key or the Google Authenticator app on my S7.

I went to add 1password to a Second Windows Laptop and second Android phone (S9).

I added the program and chrome add-on to both the second laptop successfully. I added it to the S9 successfully.

Since I don't always have both of my phones on me, and it makes me nervous having 2FA codes locked on a single device that could be damaged or lost, I wanted to ensure both my phones had access to the 2FA code. I requested new 2FA codes on the 1password website. A QR code popped up and I scanned the code into both Google Authenticator apps on both phones. Both phones reported identical codes and were more or less in sync (about 1 second of skew).

Just to make sure the 2FA was updated correctly, I went to log into my 1password website on a THIRD computer. I typed in the secret key, master key, etc. Just like I expected, I was prompted for a 2FA key.

Here's were things went bad: the 2FA keys from both phones didn't work after multiple attempts (they were identical).

I then plugged in my Google Titan Key. It was also rejected.

Now I'm locked out of the account for now.

The temporary lockout isn't that big of deal, but I'm a bit concerned because I don't understand two things that happened:

1. Why don't the 2FA codes on my phone work? I'm wondering if perhaps I didn't click "OK" or "Save" when I was on the 1password website, but either way, it's a bit concerning as I scanned the QR code to allow the apps to know the code and deleted the other authentication code, so it was too late to go back at that point.

2. What really concerns me is the Google Titan Key. I bought the key to be a safe backup in case my 2FA device gets damaged or lost, and I keep the key in a safe place. To me it's supposed to be a failsafe. I'm really not sure why it's not being accepted as 2FA because I didn't attempt to adjust the hardware key aspect of 2FA.

Thanks.

---

1Password Version: Not Provided
Extension Version: Not Provided
OS Version: Not Provided
Sync Type: Not Provided

ag_ana

Hi @mtwcaputo! Welcome to the forum!

Why don't the 2FA codes on my phone work? I'm wondering if perhaps I didn't click "OK" or "Save" when I was on the 1password website, but either way, it's a bit concerning as I scanned the QR code to allow the apps to know the code and deleted the other authentication code, so it was too late to go back at that point.

It's possible that this is because you did not save the correct code, yes. But it could also be because the time was off on either your phone or your computer. 2FA is very time-sensitive, so any drift in time on any of your devices could cause the authenticator codes to be rejected.

A good resource that makes it easy to check this is the following website:

https://time.is/

After making sure the time is the same on every one of your devices, your authenticator codes should be accepted. The reason I mention this is because you wrote this:

Here's were things went bad: the 2FA keys from both phones didn't work after multiple attempts (they were identical).

If both phones were showing the same codes, then it is expected that both would not work. So perhaps it's worth checking if the time is off on this third computer (if it's a Windows computer, I know from personal experience that this is a common occurrence).

What really concerns me is the Google Titan Key. I bought the key to be a safe backup in case my 2FA device gets damaged or lost, and I keep the key in a safe place. To me it's supposed to be a failsafe. I'm really not sure why it's not being accepted as 2FA because I didn't attempt to adjust the hardware key aspect of 2FA.

Did you get an error message when your key was refused?

mtwcaputo

Thanks very much for your prompt response @ag_ana .

The syncing aspect of the codes sounds like a reasonable theory. I'll check the time on the "THIRD" computer and make sure it's synced to my phones. If the syncing doesn't seem to be an issue, I'll also regenerate the codes when the lockout expires and see if I need to click "save".

What really concerns me is the Google Titan Key. I bought the key to be a safe backup in case my 2FA device gets damaged or lost, and I keep the key in a safe place. To me it's supposed to be a failsafe. I'm really not sure why it's not being accepted as 2FA because I didn't attempt to adjust the hardware key aspect of 2FA.

I recall just seeing it was rejected and not a valid 2FA. It didn't seem to be anything like "too many attempts". However, I'm wondering if I had already reached the "lockout threshold" for too many 2FA attempts. Once I get unlocked out, I will try it again.

ag_ana

@mtwcaputo:

The syncing aspect of the codes sounds like a reasonable theory. I'll check the time on the "THIRD" computer and make sure it's synced to my phones. If the syncing doesn't seem to be an issue, I'll also regenerate the codes when the lockout expires and see if I need to click "save".

Sounds good :+1: From what you wrote, I think it was a time sync issue, so there might be no need to generate a new code in that case.

I recall just seeing it was rejected and not a valid 2FA. It didn't seem to be anything like "too many attempts". However, I'm wondering if I had already reached the "lockout threshold" for too many 2FA attempts. Once I get unlocked out, I will try it again.

Absolutely, please let us know if you see this again and we can definitely take a closer look!

mtwcaputo

Hey @ag_ana

The problem was definitely "user error". Haha.

I checked the time syncing. It was fine. All my phones and computers were accurate to within a second or two of time.is.

Once the lock out expired, I retried the authenticator app code ONCE to prevent additional lockout. The code failed. I then tried the titan key. It worked successfully, which verifies that it can be a backup option. I'm guessing it didn't work before because I had already hit the 2FA lockout threshold.

I then logged into my account on my first computer. I rescanned the QR authenticator code on my phones. The "user error" from before was I didn't click "next" and actually verify the code from the app, so it didn't update on your end.

To test, I deauthorized the original laptop that 2FA failed on, and have retried the new, properly updated authenticator codes from my phone a couple times, as well as the titan key, and they now work.

Thanks for your help!

ag_ana

You are welcome @mtwcaputo, and thank you for the update! I am glad to hear everything is working as expected :)

If you have any other questions, please feel free to reach out anytime.

Have a wonderful day :)