Unable to provision TOTP

[patel999jay]

Hey -- i seem to have the same issue... I've tested with both authy, google authenticator + Microsoft authenticator

This is my user account https://pypi.org/user/avi_vajpeyi/

Any suggestions?

(I tried the 'Time sync' option for the google authenticator app, i got a message stating "... in sync with Google servers")

i have the same issue, could not do it with authy, google authenticator and/or Microsoft authenticator.

Originally posted by @patel999jay in https://github.com/pypi/warehouse/issues/7385#issuecomment-1751389413

[miketheman]

@patel999jay I've double-checked the behavior for TOTP enrollment, and it still works as expected. Are you certain you're not adding any other characters to the input? Input is also time-sensitive.

[patel999jay]

@miketheman : I am certain I am not adding any other character to the input and also input the code in timely fashion.

To Reproduce

• Create New Account
• Try To Enable 2FA
• Every time getting this : "Invalid TOTP code. Try again?"

[miketheman]

@patel999jay I am unable to reproduce the issue. I've also just confirmed the behavior is working on both pypi.org and test.pypi.org .

And you have confirmed that your app has been time-synced?

[patel999jay]

@miketheman : yes it is sync and i tried using both android and apple device, not working on any of them.

[avivajpeyi]

Hey -- I'm having the same issue, tested with authy, Microsoft authenticator and the Google authenticator apps. :(

[di]

For folks having issues adding TOTP, can you visit https://time.is/ on your mobile device (the same one with your authenticator app) and confirm that it says "Your time is exact!"?

[patel999jay]

Take a look at this:

[di]

Thanks @patel999jay. Can you confirm that in Google Authenticator, you're using the code from an entry that says PyPI: <username>?

[patel999jay]

@di : yes, correct i am using this from that entry.

[di]

@patel999jay Can you try deleting all "PyPI" entries from your authenticator app, hard-reloading the page with the QR code, scanning it in via your app and using the new code it provides?

[di]

@patel999jay Is this the PyPI account in question? https://pypi.org/user/jpatel1993/. This is showing that you already have 2FA enabled on this account. Are you trying to add a new 2FA device? Do you see any TOTP devices listed at https://pypi.org/manage/account/?

[patel999jay]

@di : right, i just tried adding my account via my Ubuntu machine with authy app and it would let me do it. I still can not add that to my phone, i mean with google authenticator + Microsoft authenticator.

[di]

You can only have one TOTP device at a time. Are you trying to replace the Authy device with a mobile device?

[patel999jay]

yes right.

[avivajpeyi]

Hmm I havent set up 2FA on any device, and still having the issue.

I have test authy, Microsoft authenticator, google authenticator on my Google Pixel, and tried authy desktop on my linux machine.

My username account: https://pypi.org/user/avi_vajpeyi/

Any suggestions on how to fix/diagnose this error?

[di]

I can't reproduce this: With a brand new PyPI account, Google Authenticator + Google Chrome, I was able to add a new 2FA device, and to edit/replace an existing 2FA device. I'm going to try to add some additional error messages here to indicate if this is due to clock drift or not, but I'm not sure what other leads to pursue.

[di]

Hi folks, I've landed some changes in #14720 that should emit a different error if this is due to clock skew. Could you try again?

[avivajpeyi]

Hey @di -- thanks for looking into this. Unfortunately, I'm still just getting the 'Invalid TOTP code. Try again?' error (no error based on clock skew)

FWIW, I use authy for my uni account 2FA -- that does work.

[dreamcode1994]

hey @di For me also Same behaviour "Invalid TOTP code Try Again"

My Mobile Time is also Correct. Using Google Authenticator , deleted all entries then added again with hard refresh of page.

Can you please look into this?

[di]

Would someone experiencing this be able to schedule a call with me here so we can walk through it together? https://calendly.com/di_codes

[di]

Just sat down with @dreamcode1994 and we determined that it is something about his Google Chrome browser that is causing this, as he was able to get this to work in Safari and in a Google Chrome incognito window. Can other folks in this thread try different browsers as well?

[dreamcode1994]

Thanks @di for quick response.

[avivajpeyi]

Deleting my previous scanned version of pypi + updating my firefox + phone worked! Thanks @di

[patel999jay]

@di : it worked. Thanks !

[woodruffw]

Out of curiosity: did anybody in this thread who experienced trouble take their device across a timezone shortly before experiencing it?

[di]

@woodruffw Do you mean the device generating the TOTP code, or the device with the web browser? I think what I determined with @dreamcode1994 was that their mobile device was producing valid codes, but something about their web browser they were submitting the code with was causing it to be invalid.

[woodruffw]

Do you mean the device generating the TOTP code, or the device with the web browser?

Ah yeah, I was thinking of the former. But if it's the browser submitting it incorrectly, then I'm thoroughly mystified 🙂

[GLGDLY]

problem solved also by using Firefox instead of Chrome

[andrwcnln]

I just added a section to the help in #15079 for TOTP issues. I could update it to cover using a different browser as an additional troubleshooting step?

[woodruffw]

I'm -0 on putting that as a troubleshooting step on the help page: it might help some users, but it's a pretty heavyweight recommendation that might cause more confusion for the 99% case (wrong system time) than it helps the 1% case (bizarre TOTP/form input browser bug).

That being said, there are 4 independent reports here, so maybe that's a sufficient mass?

[ideoforms]

Another datapoint: This also happened to me the first time I set up PyPi/TOTP (Chrome on macOS, Google Authenticator on iOS, UK timezone, set up by scanning the QR code). The authentication repeatedly failed.

I eventually resolved it by deleting the PyPi entry from authenticator, and re-creating it by scanning the QR code again. The new entry worked first time.

[NicoKiaru]

I've got the same issue (chrome, firefox, same issue), I'll try scanning the QR code again - but that's pretty annoying. EDIT: didn't work. But I managed to create a token after logging in with a security code. That's all I needed.

[dehilsterlexis]

MY FIX and why. It turns out I did not finalize my authenticator app process with a code on the pypi webpage when using the QR code the first time. When using a QR code which appears on the pypi website, it then asks for a code from the authenticator. I did not do that the first time. When I added it again, I noticed that step I had skipped and then added the code on the pypi webpage to confirm. It is now working.

[dada878]

I have encountered this error as well. I tried many times, but it still shows 'Invalid TOTP code. Try again?'. However, when I tried using PyPI in incognito mode, I was successful in enabling 2 step verification.