Invalid token. Please make sure you have entered it correctly

[olivierbufalini]

After a while token are not accepted anymore even so that I am using the right code generated on Google Auth App. Whenever I enter the code I keep getting the same message : Invalid token. Please make sure you have entered it correctly

The only way to solve it, is to remove the token in the DB and re do the setup.

Your Environment

• Browser and version: Any
• Python version: 2.7
• Django version: 1.10.5
• django-otp version: 0.3.8
• django-two-factor-auth version: 1.5.0
• Link to your project:

[Bouke]

Without additional information, there's nothing much to look at here. I think the clock skew (drift) is stored somewhere on the OTP device, and I'm guessing here, maybe the clock of your phone and the server have drifted too much?

[marojenka]

hi there. I got similar problem and can't figure this out. Checking the time is the first thing to do clearly and sadly doesn't help. In a desperate hope I tried to clear cache and a session, no luck there. I didn't checked the inside of application yet so if there is some ideas what to look for next time it happened it might help.

[lucawen]

you figure out how to resolve this ?

[marojenka]

since my message I had this problem only few times on development server and wasn't able to narrow it down before it disappears, sorry.

[lucawen]

I having this problem in production with large scale users problens... My timezone is in Seoul, maybe is this ??

[marojenka]

I'm not able to reproduce this anymore. Chances are it was tied to a custom middleware that enforced login-required policy. Never happened after I added /favocon.ico (!) to exceptions list. My bad /shrug

[claudep]

With bitten by this too, a warning could be added in the docs that inadvertent redirections might interfere with the process.

[moggers87]

That might be worth doing as it's not the only issue reported that was caused by this sort of misconfiguration: https://github.com/Bouke/django-two-factor-auth/issues/291

[ronnievdc]

I also stumbled on it.

It could be caused by django_otp. The TOTPDevice Model has a ThrottlingMixin. After entering a wrong code the ThrottlingMixin could throw the error: VerifyNotAllowed.N_FAILED_ATTEMPTS. django_otp ignores the error message and only returns False as the error status. django-two-factor-auth handles the False by showing the Invalid token message.

[moggers87]

@ronnievdc that's by design and this bug pre-dates that feature by about a year.

[moggers87]

Are there any other URLs that might be loaded that could be causing this issue for you?

[kirubasankar2006]

The TOTP generated from the forms.py code (totp(key, self.step, t0, self.digits, self.drift + offset)) is diffrent from code google authenticator is showing me. Any suggestions?

[moggers87]

Some more information would be helpful!

[kirubasankar2006]

Hi. Below is my detail on what I have done so far. https://stackoverflow.com/questions/65540983/django-two-factor-authentication-not-working.

steps followed.

1. Installed the packages two_factor install Django-two-factor-auth.
2. opened the URL /account/login
3. after entering the user name and password redirected to the QR setup page
4. scanned QR on both Google Authenticator/ Authy (both shows
5. when I enter the token generated by google authenticator I get the error Invalid token.

When I debug I can see that the token generated from the two_factor\forms.py is different from what I see in the google authenticator. Any help is appreciated.

[moggers87]

Are the clocks on your device and your server correct? TOTP is very sensitive to clock drift and it's been my personal experience that this sort of issue is usually a case of "oh, NTP crashed on my server" :smile_cat:

[Chuchundr]

The TOTP generated from the forms.py code (totp(key, self.step, t0, self.digits, self.drift + offset)) is diffrent from code google authenticator is showing me. Any suggestions?

You can increase the tolerance value, the token will be usable for some more time. It helped me with the same issue.

[kirubasankar2006]

Thank you for the reply I am trying only in the localhost now so the clock in my PC and my mobile have the same time. I have even tried to set the TIME_ZONE = 'Asia/Kolkata' which is my local time.

The TOTP generated from the forms.py code (totp(key, self.step, t0, self.digits, self.drift + offset)) is diffrent from code google authenticator is showing me. Any suggestions?

You can increase the tolerance value, the token will be usable for some more time. It helped me with the same issue. I tried this also bro. No luck.