The 2FA feature does not work, at least on this instance. I haven’t tried it on other instances.

Enabling the 2FA option and refreshing the page generates a OTPAUTH link to add the TOTP code to an authenticator app of your choosing, which is fine. The problem is that the TOTP codes that the secret generates are not valid, and a user cannot login using the 2FA TOTP codes that are generated.

I have confirmed this on several different devices and authenticators.

Admins… it might be a good idea to disable this feature until it’s working properly to avoid people getting locked out of their accounts because they can never provide a valid TOTP code.

  • packetlossOP
    link
    English
    41 year ago

    I tried Google Authenticator, Bitwarden, Duo Authenticator, and Microsoft Authenticator. I also tried on mobile (Android) and on desktop.

    In all cases the authenticator was giving me a 6 digit code, but the code was not valid. If I used the same secret on multiple authenticators they all gave me the same TOTP codes, which is expected, but the codes wouldn’t work. So even though multiple authenticators are displaying the same TOTP code, the code the site is expecting doesn’t match. Meaning the site is not using the secret it generated properly.

      • @C4d
        link
        English
        21 year ago

        The uh… what?

        • @SheeEttin
          link
          English
          31 year ago

          The app icon looks like a butthole to them, I guess.

    • Sami
      link
      fedilink
      English
      11 year ago

      Yeah I know it sucks. I tried some of those too but only KeePassXC worked for me.