Getting started with 1Password for your growing team, or refining your setup? Our Secured Success quickstart guide is for you.
Forum Discussion
2FA code drift
Hi,
i started using 2FA for my main 1Password account a while ago on a Windows machine. After a while a reinstalled a new Windows version on that machine and since then the 2FA codes are not working anymore. I suspect that maybe i was (unknowingly) i had some minutes of drift on the old machine and thus the codes are always off now with the correct time. How can i recover this account? I already tried coding some scripts to try out different drifts of the 2FA codes but testing those obviously is very slow because of failed login limits.
Best
B
5 Replies
- 1P_Dave
Moderator
Hello babbelmanet​! 👋
I'm sorry that you're running into an issue with 2FA. A time-based one-time password (TOTP) is generated from the following:
- A secret that you save in an authenticator app.
- The current time.
1Password only saves the secret and it doesn't save anything related to the time. Websites that support TOTP 2FA will usually require that you enter the one-time password generated by your authenticator app after you save it in order to confirm that the one-time password was saved correctly. If the time was off on your old device then you wouldn't have been able to enable 2FA since the one-time password would have been wrong from the beginning.After a while a reinstalled a new Windows version on that machine and since then the 2FA codes are not working anymore.
You'll need to make sure that the date, time, and time zone on your devices are all accurate for where you are in the world. The exact instructions for doing so vary from device to device, but their controls can usually be found in your device settings. The Time.is website can help you verify the accuracy of your date, time and time zone settings.
Once you've verified that the time is correct, using the website in the previous paragraph, check to see if the one-time password is now working. If it isn't then can you check 1Password on all of your devices, do you see the same one-time password on each device? Or do the one-time password differ from device to device?
-Dave
so whats the solution? export all passwords to an encrypted filesystem. delete my full 1password account and create a new one?
The only time which matters is the current time according to the client generating the TOTP code.
How to ensure that your client platform knows the correct time will depend on the platform and environment in which it runs. The Network Time Protocol (NTP) has existed for forty years and there are pools of free services available to anyone with a connection to the Internet to ensure that their clocks are accurate.
I know all that but yet i somehow managed to set it up in a way so my codes are never valid on the new machine. I tried different timezones, different daylight saving times, drifts around the NTP time. Nothing worked so far.
and again this is only affecting my main 1password account 2fa. all other 2fa codes seem to have been setup with the correct time and are working.
so whats the solution? export all passwords to an encrypted filesystem. delete my full 1password account and create a new one?If just one one-time password is failing, but all the others work, then that is a very different problem from the one which you first described.
In this case, remove the existing one-time password, then add a new one. Be sure to leave yourself logged in while you test in a Private or Incognito session.As for time and TOTP, nothing like time zones is relevant, just the number of seconds since the epoch.
