MFA Not working: Google Authenticator

I’m trying to set up MFA with with Google Authenticator and everything sets up clean, but it will not accept the 6 digit OTP. It says “OTP is not valid”. Am I missing something?
Here is what I do…

  1. I enable Time-based One Time Password MFA in the settings, and click “Save Settings”.
  2. Then go to Profile > Multi Factor Authentication.
  3. The only provider that appears is Google Authenticator, and it says Disabled. Is that normal?
  4. I select Google Authenticator and click Getting Started.
  5. The QR code appears and I scan it with the Google Authenticator App.
  6. I enter the OTP and get “OTP is not valid”.

I’m running v4.0.0 CE on CentOS 7. NTP on my server sync’s to google’s NTP server

Any help is greatly appreciated…

hey @akak01000101 welcome to the forum!

Since you have already checked NTP on the server the other time related issue could be on the mobile device with the authenticatior app. Could you double check that to ensure your device time is also properly synced?

If that isn’t it can you run the status-report and post the output?
sudo su -s /bin/bash -c "/usr/share/php/passbolt/bin/status-report" nginx

Hi Clayton,
Well, there are 8 other OTP’s configured on the app, they all work, and one of them is also google. So I’m thinking the Mobile side is ok.

Running the status-report. Everything says “PASS”, except:
[PASS] SSL peer certificate validates
[PASS] Hostname is matching in SSL certificate.
[PASS] Not using a self-signed certificate

[FAIL] Passbolt is not configured to force SSL use.
2023-05-26 21:31:22 error: [Authentication\Authenticator\UnauthenticatedException] Authentication is required to continue in /usr/share/php/passbolt/vendor/cakephp/authentication/src/Controller/Component/AuthenticationComponent.php on line 177
Request URL: /auth/is-authenticated.json

I remember reading that SSL needed to be enabled and I thought it was, maybe not forced. If this is the issue, do you know how or where to force it?


Saw in another post how to force SSL in /etc/passbolt/passbolt.php and changed the setting to true, but that did not help.

Yes, that’s the way to do it.

Since it still doesn’t work you could attempt with another totp app as a matter of troubleshooting.

In FDroid there is andOTP, and really any other totp authenticator app should work with this feature. Will it work with another app?

ps “Disabled” should probably say “Available”

I’m open to that, but Google Authenticator is the only one that is listed, and no other OTP apps listed to select in passbolt.

I thought “Disabled” was an issue as well. Any thoughts if there is a module missing of something misconfigured to make it show disabled?


It may have the Google Authenticator icon, but it’s TOTP in general. I don’t use the Google Authenticator app myself, I use andOTP.

If it truly is disabled, you won’t be able to begin the setup. Enabling TOTP is done in the Adminstration section of the app. Here, mine is enabled:

I am using it as a user, so it says Enabled when it’s done being set up:

I would show “In-Use” instead of “Enabled” but regardless of the naming( :man_shrugging:), that’s what it should look like.

Figured it out…

  1. After setting passbolt up I didn’t force SSL in passbolt.php, but had the time set. It didn’t work.
  2. After forcing SSL, by then the time drifted, so it still didn’t work. I’ve forced a ntpdate and MFA is working now!

I’ve set a daily “ntpdate” in cron so it should be all good now.

Thanks for help clayton and garret!