TOTP broken on Bitwarden forums

TOTP seems to be broken on the Bitwarden forums. The clocks on the Discourse servers must be slightly out-of-sync; anytime I enter my current TOTP code, I’m told it’s invalid (“Invalid authentication code. Each code can only be used once.”). I have to wait about 30 seconds after the code has technically expired before the code is considered valid by Discourse. That means the servers’ clocks are probably lagging by about a minute. I’ve ensured that my own clocks are in sync and have tried generating the code on multiple devices to ensure they’re the same.

Is anyone else able to reproduce this? I’ve already filed a support request with Bitwarden, but I just want to make sure it’s not anything on my end.

I cannot reproduce this. My two-factor codes appear to work just fine (just checked).

1 Like

Support replied to my email and confirmed that it’s an issue. They may have already fixed it.

1 Like

This also happened to me. In fact I even got to reset my TOTP configuration the other day believing it was my fault.

Loggin in just now it happened again. Error on the first try, success after some seconds.

1 Like

Makes sense, @Zenexer - thanks for letting us know.

1 Like

It’s also possible you’re hitting a different server. In any case, it should be pretty easy to fix. Just figured I’d report it.


May be a time issue, or possibly a configuration too.
With more aggressive TOTP I know it can be limited to only accept the current code and nothing else. Should the UTC time be off though that would be another issue.

Other TOTP servers can be set to accept some type of a “drift” usually one additional token forwards and backwards are accepted as valid by the service.
This allows for some variance in individual user clocks on devices and also possibly latency on a network if you type in a code and it “expired” before actually reaching the service for authentication.

So could possibly have been either of those as they are common issues when running into TOTP problems.
Glad you were able to report it and let others know, and the team got it handled quickly.
Always awesome when people are on top of maintaining such a vital service for us.

In this case, the clocks were running slow rather than fast. A code only became valid if I waited ~30 seconds to submit. The possibility you’re describing would exhibit the opposite behavior: I would have to enter a code early rather than late.

I believe Discourse opts for a standard one-window grace period, but don’t quote me on that. That would mean the clock was running about a minute slow.