2FA treats OTP codes as (used) backup codes

When I try to log in I am asked to insert my OTP code, as expected since I enabled 2FA. However, access is often denied with the server complaining about «Invalid authentication code. Each code can only be used once.»:

e612a0

I suppose this is because it thinks I’m trying to use a (already used) backup code and I’m not. If I hit the Log in button enough times, after some attempts resulting in the same error I can login. Also if I wait enough time for the code to change. Not a big problem, but quite annoying.

Is this a known issue?

I don’t know it is related, but I’m not the only one with login issues, see Can’t login Tor forum (both .net and .org) using email/password .

We’re not aware of issues with OTP authentication currently, neither with this forum nor Discourse upstream.

Can you check if the device you’re using to generate the codes has a clock that’s correctly synchronized, eg. using something like NTP? The OTP protocol requires that all devices involved all agree relatively precisely on the current time, so if your device’s clock is drifting, that might cause issues like what you’re seeing.

I suppose this is because it thinks I’m trying to use a (already used) backup code and I’m not.

OTP codes are also one-time use, so it’s a consistent error message for this context.

If I hit the Log in button enough times, after some attempts resulting in the same error I can login. Also if I wait enough time for the code to change.

Definitely sounds like clock drift: your application might be generating OTP codes that have an erroneously limited lifespan because of this.

2 Likes

Definitely sounds like clock drift

It’s so obvious I didn’t even think about it. Now that you suggested it it’s my best guess too.
I resync my clock once a day (to avoid exactly this problem with another service) and at the moment it’s correct - and I could login without issues - but next I will have problems I’ll check. Thanks for your suggestion.

This topic was automatically closed 24 hours after the last reply. New replies are no longer allowed.