Bit of a generic question this. I use TOTP in Bitwarden Premium extensively. Working in IT, I find it far more convenient than keep having to manually enter TOTP codes.
Recently I was locked out of 2FA on Bitdefender. It had been working fine for a long time. Fortunately, I had the secret key to get back in.
However, I couldn’t get 2FA working again with Bitwarden. I could scan the Bitdefender QR code and enter the first TOTP code but next time I tried, it was rejected.
I had to switch to Google Authenticator. Has anyone else had any trouble like this where BW TOTP just doesn’t work?
I’m about to go through setting up 2FA again with BW as my suspicion is a problem with Bitdefender. And yes, having two products called BitXXX is confusing
Good idea - this is on a Windows PC on a traditional Windows domain. It gets it’s time from the domain controllers which in turn should get their time from a NTP time source. But from distance memory, it’s possible for this to not completely work.
Do I infer from this that TOTP code generate is critically tied to the local time? Always wondered how it worked.
Anecdotal additional evidence… a client uses Nextcloud cloud storage system based on a Linux virtual machine somewhere in Azure. Earlier today I spotted a weird anomoly. I’d just deleted a file and happened to look in the recycle bin and it said “Deleted in 1 minute”
Yes, TOTP means “Time-based One-Time Password”. It uses the secret key and the current time to create the 6-digit code (which changes every 30 seconds). This is done both on the local device and on the server you are authenticating to, which is why authentication fails if the clocks are not synchronized.
The time system on my local Windows Active Directory domain wasn’t set-up correctly. My two domain controllers were running on different Hyper-V servers and each had slightly different CMOS time settings, both out by over a minute. The time service on Windows domain controllers should be configured to get their time from NTP, e.g. time.windows.com, not from the local CMOS. Once this was resolved, the Windows computers connected to that domain started getting their time from the domain, not their local CMOS settings - which were often out. So all in all, misconfigured Windows domain time wise and now it’s all working well.
I’ve been able to switch back to Bitwarden for Bitdefender 2FA. So thanks for the pointer.
However… why was the browser Bitwarden extension using the local time off the computer? Shouldn’t it use NTP itself for cases like this?
I think it is standard for TOTP authenticators to use local system time. For example, the authenticator app may be installed on a device that is not internet-connected.
