Multi Factor Auth Issue

TOTP randomly starts failing:

Every user can successfuly set up MFA and use it for some time, then it starts failing collectively. Passbolt refuses the code generated by the provider for every user, only server reboot solves the issue.

ssl cert is in use and server is behind a fortigate reverse proxy.
Any ideas what might cause the issue?

Hello @matreicht and welcome to the forum!

What you described makes me think that there could be some time synchronisation issues. For TOTP to work it needs both the devices and the server to be in time sync.
From what you said, I would bet that the server might be desync at some point from the time server.

There could be many reasons for that, an easy one to tests is to check if the server time sync service is on.
I don’t know what is you server OS right now but the following command could give more details about the service status (if it doesn’t work, the command needs to be adapted and I would need to known what is your server OS and its version).

sudo systemctl status systemd-timesyncd

As output you might have the following (here it’s inactive):

systemd-timesyncd.service - Network Time Synchronization
     Loaded: loaded (/lib/systemd/system/systemd-timesyncd.service; enabled; ve>
     Active: inactive (dead)
       Docs: man:systemd-timesyncd.service(8)

with a:

sudo systemctl restart systemd-timesyncd

You should then see with the previous command a more complete result but with a status set to active hopefully.

Hi Steph,

It turned out to be a network issue, ntp service was disabled on the gateway interface of the firewall for vlan the server is in and the syncing attempts timed out.
Thanks for the suggestion.

1 Like