auth code not working on Github

[improvethings]

I login with my username and password on Github, and it asks for my two-factor authentication auth code. I enter the code after doing a "Sync now" under "Time Correction for Codes" in the Google Authenticator Android app (4.60 on Android 4.4) which says "Time already Correct". When I enter the code in Github, it says "Two-factor authentication failed.". I reached out to Github, who says their system is saying the codes are not correct. On the Google Authenticator display it says "GitHub", then underneath the dynamic 6 digit code, and under that it says github.com/myusername. On the right is the countdown clock image.

[ThomasHabets]

This could be a timezone and DST problem. Could you switch your phone to a US time zone such as Los Angeles, to see if that fixes it? (this is only to try to find the problem)

What is your phone brand? Is the phone clock set correctly?

[improvethings]

The phone is a Galaxy S/SGH-I897. The time is currently 17:51 PDT Nov 1, 2016, (accurate) in sync with NTP servers as per Cyanogemod/Android settings.

shell@SGH-I897:/ $ date Tue Nov 1 17:23:19 PDT 2016

1|shell@SGH-I897:/ $ settings get global time_zone null shell@SGH-I897:/ $ settings put global time_zone America/Vancouver shell@SGH-I897:/ $ settings get global time_zone America/Vancouver

After a reboot, I attempted to Sync time in Google Authenticator, but it told me it failed as the time was already in sync with Google's servers.

[ThomasHabets]

When you say accurate I assume that it's the time-of-cut-and-paste than caused the 17:51/17:23 difference.

4.60, that means Play store version, right. Just the standard disclaimer:

--

FYI: The version in Google Play Store / Apple App store is not the same as this opensource version. They've diverged. This opensource version is also unlikely to end up in the app stores. This open source version doesn't get much love, but I'll accept well-written pull requests. But don't expect this feature to be implemented by Google.

--

But 4.60? That's not the newest version of even that. Could you try updating?

[ThomasHabets]

This could be https://github.com/google/google-authenticator-android/issues/25 fixed in https://github.com/google/google-authenticator-android/pull/4 (and in app store version).

I don't know when version 4.60 is from. Could be before this patch.

[improvethings]

Yes, I pasted approximately 2 minutes later to explain the cut-and-paste time discrepancy above.

As per #25 I verified it's 24-hour time in my Cyanogenmod/Android settings. I turned it off, restarted, and tried unsuccessfully, and then changed it back to the default - on.

I have since upgraded to Google Authenticator 4.74 and the codes are still not working -- as far as I can't successfully login to Github with them. I verified that the time is still in sync with version 4.74. I'm now temporarily locked out of trying to login to Github after so many unsuccessful attempts.

[ThomasHabets]

With the timing this could be DST-related. Could you try it again tomorrow?

[improvethings]

I just tried it again to no avail. I verified the time is synchronized first.

Is there a good test site I can add to verify if it's working elsewhere?

Once I recover Github access, I will turn off 2fa there and sell this Android device, so I need it for no other purpose than to resolve this, if that helps. I can show someone my screen, run adb/logcat etc.

[ThomasHabets]

Are you saying that if you re-add a google 2fa account (scanning barcode and everything), it won't work?

[waywardgeek]

Hi, Thomas. I have the same symptoms on my fairly new Google-managed Nexus 6P. Is there some way I can help track this down?

[waywardgeek]

Also, yes, I uninstall Google Authenticator, re-installed, scaned the github QR code, made sure Google Authenticator is happy with my time settings by doing a "Sync now", and verified my timezone and time are set automatically. I do not use 24-hour time. One thought: could it have anything to do with my having two accounts on my phone? I have my waywardgeek@google.com and waywardgeek@gmail.com at the same time. That does confuse a lot of apps.

[ThomasHabets]

It should not be affected by multiple accounts.

IIRC the github flow includes a "put a code here to prove you've set it up", no? (google's flow does, I'm almost entirely sure) Does that box accept the code at setup?

Also, since you're a @google.com, I would recommend trying to re-add the gmail account and if it fails file internal bugs. Presumably you use the App store version (see standard disclaimer above).

[jskeet]

I'm seeing the same problem - and yes, the box in the setup flow accepts the code, which sounds like it's a Github issue rather than an auth app issue, but I don't know enough to be sure. (The account is definitely correct, as the recovery code for that account works.)

The authenticator app worked for a very long time with Github, so I don't know what's changed.

[ThomasHabets]

If this is reproducible for you then could you try a separate TOTP app, and see if it has the same issue? If it does then it's almost definitely a problem on the github side. (could still be android system, somehow)

[jskeet]

@ThomasHabets: Happy to try, yes. Any specific ones you'd like to suggest?

[ThomasHabets]

@jskeet I've not really used others much, but I seem to recall this one working for me: https://play.google.com/store/apps/details?id=org.fedorahosted.freeotp&hl=en

If you scan the same QR code they should be in sync with their codes. So if they are and github still has trouble, then I'd say it's an issue with github.

[jskeet]

@ThomasHabets: Thanks, just tried that, and got exactly the same problem. Will see if I can find the right place to file a bug with Github...

[jskeet]

Reported via contact page, including link to this. Will see if anything comes of it.

[jskeet]

Okay, somewhat solved - I hadn't hit the green "Enable two-factor authentication" button on the final screen, which is disabled until you download the recovery codes. I hadn't done that because:

• I already had recovery codes (they hadn't changed since it had been working before)
• I didn't think I'd need to enable 2FA when it was already clearly enabled...

I've suggested that Github might want to revisit their UI on this. Either way, it definitely isn't a Google Authenticator issue in my case.

[ThomasHabets]

Thanks for investigating.

[tonycmyoung]

I'm having this same issue - and GitHub is showing 2FA as enabled so it's not the above UI issue for me. I've tried deregistering and reregistering 2FA in Google Authenticator to no avail. The first code generated during configuration works for configuration, but no further generated codes work.

[ThomasHabets]

@tonycmyoung Could you try it with FreeOTP, mentioned earlier in the thread?

If it does work with that one, then GAA has a bug.

[fernandobrito]

I'm also having this issue. I've tried both GAA and FreeOTP, and although I can successfully register my device, 2FA doesn't work for subsequent logins. Timezone and time are set automatically on my phone.

@tonycmyoung have you tried contacting GitHub support already?

[ThomasHabets]

I'm assuming this is a github issue then, so treating that as the root cause.

[NickBrooks]

+1 for same issue 😢

Currently using SMS as a work around but don't want to rely on it since I'll be unable to access my phone number soon.

[capi]

@fernandobrito @NickBrooks Have you checked the solution @jskeet suggested in this thread?

[fernandobrito]

Now it works. I hadn't really seen his solution before:

Okay, somewhat solved - I hadn't hit the green "Enable two-factor authentication" button on the final screen, which is disabled until you download the recovery codes. I hadn't done that because:

I already had recovery codes (they hadn't changed since it had been working before) I didn't think I'd need to enable 2FA when it was already clearly enabled...

I also thought that the button was disabled because 2FA was already enabled before.

[NickBrooks]

@capi my 2FA looks like this (I can't see where else to further turn it 'on')...

[jskeet]

@NickBrooks: You need to go through the "edit" process again, and makes sure you hit the "Enable" button at the end of the process.

@fernandobrito: Exactly, my thoughts too. I suggested to the Github team that they might want to revisit the UI...

[NickBrooks]

@jskeet A ha - fixed.

Seriously confusing little UX... it feels like it's done as soon as you scan the barcode (like most other 2FA) so I just close out of it rather than continue on with the process. A little tweak needed to make that more clear.

Thanks!

[nathanl]

For me the solution was Menu -> Settings -> Time Correction for Codes -> Sync now - apparently my clock was not in sync

[jonathanbossenger]

@nathanl thanks, that also resolved my problem.

[sanmut]

For me the solution was Menu -> Settings -> Time Correction for Codes -> Sync now - apparently my clock was not in sync I ran into the same issue today (coincidentally or due to Daylight Savings Time change yesterday !?). This proposed solution did not work for me. I did the following that fixed 2FA error during sign-in.

1. Removed github account from my Authenticator app (on Android phone)
2. Go to github.com in a browser on Desktop, go to Account --> Settings --> Security --> Authenticator App --> Configure
3. Scan the bar code on the Desktop browser from the Authenticator App
4. Enter the 6 digit code After this, I was able to use 2FA to sign in.

[improvethings]

Go to github.com in a browser on Desktop, go to Account --> Settings --> Security --> Authenticator App --> Configure

How are you logging into Github if Google Authenticator isn't working? If I could login to my account, I could easily resolve this issue. It's been over 3 years without access to my Github account.

[leodutra]

Used Microsoft and Google Authenticator. Both having errors.

[leodutra]

Maybe the time clock issue is happening to me, Brazilian summertime has changed this year. Let me check.

[leodutra]

Yes, looks like the observatories did not update the f* timezone list.