Totp not valid

every time I log in and enter otp. but otp is always invalid. as a result my digital ocean account was deactivated due to unusual actions. can you fix this.?
is there something wrong with my settings.

finally I came back again using authy.

I don’t believe that’s an issue with Bitwarden, but more so digitalocean, verify you entered the correct TOTP code from Digital Ocean into bitwarden, by disabling 2FA with DigitalOcean and re enabling it, to get a new code.

Try that.

Regarding your problem:
Make sure to have the correct time on all related devices and to have them all in the same timezone.

Some general info:

  • Use the mobile app for Bitwarden to scan the QR-code. If that is not possible try a copy-paste of the “secret code” webpages give you directly into the Bitwarden app/extension. Never just “type” them. The risk of a typo is too high.

  • Make sure to save the so-called recovery- or backup-code whenever you activate 2FA.

1 Like

I deleted 2fa and enabled 2fa again. The results are useless.
I want to record it. But too much sensitive data.
if you have the same problem. Please upvote here

@Abdul @Peter_H makes an excellent point, TOTP codes are based on the exact time that your computer is at, if your time in your computer is off by even a minute then it’s possible the codes will be 1 minuet behind or ahead of what there supposed to be at. Check your computer and device time, depending on where your at in the world you might have DLS make sure that’s set to be correct as well. If all time is correct, I would suggest manually changing time and then changing it back to pull automatically so the devices update correctly.

If those don’t work open an Issue on GitHub. As this is more of a bug then functionality. Though I would also reach out to blue ocean first see if it’s something on there end, or test with another Authenticator app first to rule that bitwarden is the issue.

It does work very well and mostly (personal experience: x >> 99% ) is very realiable. Because of the missing ~1% you should ALWAYS implement a 2nd and different form of 2FA like Duo (unless you already used it for TOTP), Yubikey, etc.

However, here is my next remark:
On all webpages (or apps) on which I implemented 2FA it worked like this:

  • Select to chose 2FA
  • Scan the QR-code or copy-paste it’s text version into the program you use to store the 2FA-data. This can be Bitwarden or other programs like Aegis, Authy, Duo, Google/Microsoft Authenticator, etc.
  • All webpages/apps I have encountered then asked to confirm the activation by entering a TOTP code. So unless you confirm this using the correct code 2FA will not be activated.

If 2FA does not work for you, how did you get it activated?

Question @all:
Is it necessary to have the correct time on the server too? That is something a user does not have any influence on.

No, because TOTP is based on the time of your machine, vs the servers machine. So server time should not effect TOTP. But your time changing could effect a TOTP, I’m sure it’s resilient to DTS but I’m not sure if you adjusted the time a few min different if it would still work.

In the meantime I had looked it up but did not have the time to reply to my own question:
According to RFC6238, section 3 “Algorithm Requirements”, R1 (see: *):

The prover (e.g., token, soft token) and verifier (authentication or validation server) MUST know or be able to derive the current Unix time (i.e., the number of seconds elapsed since midnight UTC of January 1, 1970) for OTP generation.

In other words: The server also needs to have both the correct timezone-setting and the correct time.

(*) https://tools.ietf.org/html/rfc6238#page-3

UTC doesn’t have timezone.

That is correct but it is the basis for the timezone settings of both clients and servers.

I think that this only effects generating a TOTP code. I’m an Admin in a community forum where you are able to protect your account with the help of 2FA. One user wasn’t able to activate 2FA because the time on the server was wrong. After fixing this user was able to generate a TOTP code. :wink:

@Abdul
Did you try another site having 2FA activated?

@DenalB
only digital ocean and runcloud cannot be used 2FA. The others site can be used totp. I use desktop authy and there are no problems logging in using 2fa digital ocean.
So it’s not a matter of setting the time on my computer.

1 Like

I set up a test account on runcloud.io, activated 2FA (using the text and the Bitwarden extension for Google Chrome on W10), sucessfully verified 2FA, logged out and back in. 2FA worked fine.

Then I de-activated 2FA, re-activated 2FA (this time using the QR-code with the Android version of Bitwarden), successfully verified 2FA, logged out, didn’t want to wait till the extension is synced again, so manually synced it, logged back in. 2FA again worked fine.

In other words: I cannot see any issue with Bitwarden.

You still have not answered my question: If 2FA does not work for you, how did you get it activated?

1 Like

Did the same at Digital Ocean, this time only using the QR-code. Again no issues.

1 Like

I will try to record.

1.I disabled 2fa on runcloud.
2. Then I reactivate using a QR scan from the Bitwarden app on Android 10 Mi A1
3. Logout and record my screen.

Windows 10
Mi A1
Bitwarden Chorme extension
bitwarden apps 2.4.2

this video how do i use 2FA. for a while I used authy…
before this everything works fine.

https://drive.google.com/file/d/103vSGGMdosRVBrvogSBe6FH8ZyLTcUU_/view?usp=sharing

If you compare the 2FA codes in browser extension and in mobile app are they the same? :confused:

the result is the same :joy:

1 Like

May be you should contact support team directly with this issue:

Do you have another TOTP tool you can use to compare, e.g. Authy? It would be interesting to see what codes are being generated by the two different apps.

1 Like