search

goauthentik / authentik

The authentication glue you need.
https://goauthentik.io
Other
7.77k stars 599 forks source link

TOTP out of sync #8721

Open masterdot opened 4 months ago

masterdot commented 4 months ago

Describe your question/ my install does some weired things with 2fa. It looks to me like the token generation is out of sync. I enten the totp code, nothing happens. Enter same a second to error, wait for new generated token and then its working. Same with webauthn as 2fa.

Relevant info Screenshots

https://github.com/goauthentik/authentik/assets/493105/087d8d23-c602-4b98-b46d-50ece299a86f

If applicable, add screenshots to help explain your problem.

Logs Output of docker-compose logs or kubectl logs respectively

Version and Deployment (please complete the following information):

Additional context this is the output of timedatectl

           Local time: Wed 2024-02-28 16:30:05 CET
       Universal time: Wed 2024-02-28 15:30:05 UTC
             RTC time: Wed 2024-02-28 15:30:05
            Time zone: Europe/Berlin (CET, +0100)

System clock synchronized: yes NTP service: active RTC in local TZ: no

So everything seems to be setup up correctly...

rissson commented 4 months ago

2021.8.5 is more than 2 years old. I recommend you upgrade.

CookieGMVN commented 4 months ago

@rissson Nah, that's just the version that authentik's owner added as an example for bug issues. Seems he/she didn't changed it.

masterdot commented 4 months ago

uhh, sorry!

i was on the wrong device for details :)

teambvd commented 4 months ago

In every instance I've seen this, the issue is with the time sync on either the device generating the token, or on the server itself. If youve confirmed your NTP settings on the server, the next step would be to validate the device you're using - if its already set to sync via cell tower, manually set it (entering it to the second) on the device (or vice versa).

Alternatively, you could increase the systems "accepted skew range" (e.g. allow for further out of sync devices), but this makes it a bit less secure as there are then more acceptable tokens at any given point in time.

masterdot commented 4 months ago

I do use several methods and none did work at first try. Maybe i missed a config option for syncing? Telling the docker maybe something? Its total and the web author also. I think it must be something within authentik...

teambvd commented 4 months ago

If this was working previously and is not now (or if it works intermittently), it's unlikely to be a config issue with the container - instead you'll want to look at the hypervisor and device which is generating the TOTP tokens to ensure both are showing accurate (and regularly synced to avoid skew) time.

masterdot commented 4 months ago

It did never work with this system... But the TOTP devices work everywhere else without problems.

MaxPelly commented 3 months ago

This is probably another case of #5972, see the solution https://github.com/goauthentik/authentik/issues/5972#issuecomment-1960047300

(the default authentication flow has a bug)

masterdot commented 3 months ago

Yes, that did fix it. I did remove the second validation and now it works. aweful bug, if its ok to say that. did take a LOT of time to spot and fix...