Bitwarden TOTP doesn't match Authy sometimes

Sometimes I have a problem logging into my work Microsoft account using 2FA. The TOTP code generated in BitWarden does not work. I then try using the one in Authy and it works fine.

Normally, the codes generated by Bitwarden and Authy are identical. But sometime Bitwarden generates incorrect codes. I understand Bitwarden uses my computer’s system time, but doesn’t Authy use this also? I’ve verified my system’s time is accurate. Whatever Authy is using seems much more reliable. Anyone else notice this?

BTW, my system time is automatically synced with the corporate server time.

I’ve heard of TOTP generators producing different codes - almost always because of a time issue - but I haven’t come across a case where codes are usually in sync and only sometimes incorrect. Are you using both Bitwarden and Authy on your computer?

1 Like

Yes, I have both Authy and Bitwarden installed on the same computer. I started using Bitwarden for TOTP after switching from LastPass and I have not encountered any issues with it except for this one scenario. This morning the codes generated in Bitwarden didn’t work for my work Microsoft account and it was generating different codes than Authy. The Authy code worked. Later in the day Bitwarden is generating the same codes as Authy and they work. This seems to happen once or twice a week. I would assume it’s a system time issue, but unless Authy uses a different time than Bitwarden, that wouldn’t explain why they generate different codes on the same computer.

I also have noticed an issue with Bitwarden not matching itself.

I was attempting to log into Reddit on my PC, but the TOTP generated by Bitwarden kept failing. So I checked Authy and input the code from there… and it worked!

So, I disabled/reenabled 2FA on Reddit. But I immediately noticed that the QR code scanned into Authy didn’t generate the same TOTP as the key input manually into Bitwarden for Firefox. So, I deleted the key in Bitwarden and tried scanning the QR code in Bitwarden for Android… and the codes in Authy and Bitwarden for Android match! However, the TOTP in the Bitwarden for Windows app matches the PC browser extension but does not match the Bitwarden for Android app. Yes, I confirmed they are synced.

I do notice that my phone’s clock and my PCs clock are off by about 5 minutes, but that shouldn’t affect it, should it?

Yep, the codes are only valid for usually 30-90 seconds, so time offset greater than that will absolutely cause them to be different (note I said different, not necessarily invalid to the system you’re logging into :wink:)

Time zones are what usually cause issue. If two devices have the same time but different zones, they’re effectively off by hours. It happens with daylight savings, European summer time, etc. Always good to check and validate against UTC on both devices.

1 Like

So why, when I was initially logging into Reddit on my PC, did my Authy for Android code work, while my Bitwarden for Windows code did not?

Reddit may not allow codes older than 90 seconds. They really should be the same, based on the correct time.

Yeah, as Trey said, the codes aren’t valid for very long. Two devices 5 minutes apart will definitely produce different codes. TOTP actually stands for Time-based One-Time Password.

As for @jpreed, I’m a bit stumped! I don’t know how two TOTP generators on the same device could produce different codes some of the time.

I think Authy may be doing some background work, perhaps its own time sync? For a TOTP generator it sure puts through a lot of network traffic :sunglasses:

1 Like