Windows client doesn't provide correct 1-time passwords despite machine time being correct

I have the Windows client installed on 3 machines, the iOS client installed on 6, and the macOS client on 1. The iOS and macOS clients have no problem providing the correct one-time passwords on accounts that I've enabled 2FA; the Windows clients at this point, for whatever reason, are not, despite the machines' time being correct (provided by domain controller synced to time.gov). I've taken the step of disabling 2FA for a couple accounts and re-adding them via QR code and, when updated this way, they provide correct one-time passwords when prompted, but I'd really like to not have to do that for all of my 2FA-enabled accounts. Any insight would be greatly appreciated!


1Password Version: Windows 7.6.785
Extension Version: Not Provided
OS Version: Windows 19041.572 (and later)
Sync Type: 1Password account
Referrer: forum-search:one-time password

Comments

  • GregGreg

    Team Member

    Hi @AGC,

    Indeed, it is quite strange that only Windows machines misbehave like this. Could you please take a look at your time settings and tell me if they look similar to mine?

    Also, am I right to understand that if you update a 2FA code for an item, this new code works correctly, but old codes continue to fail? Please confirm, as this makes the situation even stranger. Thanks!

    ++
    Greg

  • Hi Greg! My settings page does look like that although the Time server setting is set to synchronize via domain controller, which as it turns out is likely the problem. I have 1Password installed on two corporate Windows machine and one personal Windows machine; the personal Windows is not seeing the problem, unlike what I originally posted, which almost certainly means something is wrong in the time sync via our domain controller, I think?

  • ag_anaag_ana

    Team Member

    @AGC:

    I think you hit the nail on the head. If you look at one of the corporate machines and at your personal Windows computer, is the time different?

  • AGCAGC
    edited November 14

    The time is different but theoretically not enough to affect matters, I thought. It’s only 30 seconds off from time.gov’s clock. Is that enough to foul this up?

  • ag_anaag_ana

    Team Member

    @AGC:

    Yes, 30 seconds is actually enough, since that's the default validity time of a TOTP ;)

  • Great, problem solved! I'll get my network admins to see if we can fix the domain controller time issue then. Thank you everyone!

  • ag_anaag_ana

    Team Member

    You are very welcome @AGC! If you have any other questions, please feel free to reach out anytime.

    Have a wonderful day :)

Leave a Comment

BoldItalicStrikethroughOrdered listUnordered list
Emoji
Image
Align leftAlign centerAlign rightToggle HTML viewToggle full pageToggle lights
Drop image/file