2FA doesn’t work

Hello @geercom and thanks for reaching out to us!

It sounds like it could be possible plugin conflict or maybe the time/date setting is off.

Can you send a diagnostic report to wftest @ wordfence . com? You can find the link to do so at the top of the Wordfence Tools > Diagnostics page. Then click on “Send Report by Email”. Please add your forum username where indicated and respond here after you have sent it.

Also, check your Wordfence > Login Security page at the bottom, do these times match?

Thanks again!

Done.

Times appear to be a minute apart:

Server Time: 2021-09-15 14:36:31 UTC (2021-09-15 14:36:31 UTC+0)
Browser Time: Wed, 15 Sep 2021 14:36:32 GMT (Wed Sep 15 2021 10:36:32 GMT-0400 (Eastern Daylight Time))

Thanks for sending that over!

The diagnostic looks good! My question would be, are there other users on the site that are having this issue, or might it just be with your profile?

If you’re the only admin, I suggest clearing the data tables for Login Security and seeing if that resolves the issue.
NOTE: This will remove all user’s 2FA and they will have to see it up again.
1. Navigate to Wordfence > Login Security > Settings
2. Click to enabled the Delete Login Security tables and data on deactivation option
3. Head over to the plugins page and disable Wordfence, then Activate it again.

This will recreate the login tables. Then go ahead and try to set up 2FA again on your profile. Try to log in a few times to make sure it’s working.

Let me know what you find!

Thanks again!

Here’s the settings I have now after trying this. I think I screwed up, but it won’t let me in at the login page.

This is the settings tab:

Login Security Settings
Learn more about Login Security 
User Summary
Manage Users
Role	Total Users	2FA Active	2FA Inactive
Administrator	2	1	1 (View users)
Total	2	1	1
Settings
  
2FA Roles
Administrator

Required
Editor

Disabled
Author

Disabled
Contributor

Disabled
Subscriber

Disabled
Grace Period
10
 days
For roles that require 2FA, users will have this many days to set up 2FA. Failure to set up 2FA during this period will result in the user losing account access. This grace period will apply to new users from the time of account creation. For existing users, this grace period will apply relative to the time at which the requirement is implemented. This grace period will not automatically apply to admins and must be manually enabled for each admin user.

Administrator
 
Send an email to users with the selected role to notify them of the grace period for enabling 2FA.
Allow remembering device for 30 days
If enabled, users with 2FA enabled may choose to be prompted for a code only once every 30 days per device.
Require 2FA for XML-RPC call authentication
If enabled, XML-RPC calls that require authentication will also require a valid 2FA code to be appended to the password. You must choose the "Skipped" option if you use the WordPress app, the Jetpack plugin, or other services that require XML-RPC.
SKIPPED
REQUIRED
Disable XML-RPC authentication
If disabled, XML-RPC requests that attempt authentication will be rejected.
Allowlisted IP addresses that bypass 2FA
[I put my IP in here.]
Allowlisted IPs must be placed on separate lines. You can specify ranges using the following formats: 127.0.0.1/24, 127.0.0.[1-100], or 127.0.0.1-127.0.1.100.

This is the 2FA tab now:

Two-Factor Authentication
Learn more about Two-Factor Authentication 
Two-Factor Authentication, or 2FA, significantly improves login security for your website. Wordfence 2FA works with a number of TOTP-based apps like Google Authenticator, FreeOTP, and Authy. For a full list of tested TOTP-based apps, click here.

Editing User:   admin (you)
1. Scan Code or Enter Key
Scan the code below with your authenticator app to add this account. Some authenticator apps also allow you to type in the text version instead.

YGKCCOLAQOLUSWNG3T7YXFT4X2WZF76G

2. Enter Code from Authenticator App
Download Recovery Codes Optional

Use one of these 5 codes to log in if you lose access to your authenticator device. Codes are 16 characters long plus optional spaces. Each one may be used only once.

ded0 8167 064c 0065
38b1 3a47 7974 a16b
8088 2ac0 aec8 95cd
f635 e243 69e4 ce56
928a ead7 0862 5eeb

Enter the code from your authenticator app below to verify and activate two-factor authentication for this account.

123456

For help on setting up an app, visit our help article.
Grace Period
Two-factor authentication will be required for your account beginning September 25, 2021 9:50 PM

Server Time: 2021-09-15 21:50:05 UTC (2021-09-15 21:50:05 UTC+0)
Browser Time: Wed, 15 Sep 2021 21:50:06 GMT (Wed Sep 15 2021 17:50:06 GMT-0400 (Eastern Daylight Time))
Corrected Time (NTP): 2021-09-15 21:50:05 UTC (2021-09-15 21:50:05 UTC+0)
Detected IP: 66.61.91.36 (allowlisted)

And I went in via file manager and renamed the WF folder to old to deactivate to get back in when we need to try something.

You might want to edit that 2FA tab window and take out those codes, just in case someone copies them and attempts to log in since this is a public forum.

So after you did the process I provided, you should have had to set up 2FA again right?

https://www.wordfence.com/help/login-security/ actually has a video of the step-by-step process of setting up 2FA.

Also, which authenticator app are you using? I suggest the following:
Google Authenticator
Sophos Mobile Security
FreeOTP Authenticator
1Password (mobile and desktop versions) See: 1Password help
LastPass Authenticator
Microsoft Authenticator
Authy 2-Factor Authentication

Let me know how it goes!

Thanks again!

I had to set up 2FA again but I must have done something wrong. I keep trying over all the instructions to remove the tables and add them back but when I put in the code from the Google Authenticator app it says, “Error Activating 2FA The code provided does not match the expected value. Please verify that the time on your authenticator device is correct and that this server’s time is correct.” I can’t get to the video because I don’t have a Wordfence Central setup; I only have the one site.

Does the time on your phone match the time that you provided on the Login Security page?

That would be the only reason it wouldn’t be accepting the 2FA code you are entering.

Let me know!

Thanks again!

The site says 4:23 UTC and my phone says 12:24 ET.

The one minute off is what is causing the issue there, I believe. Adjust your phone’s time to match and the issue should be resolved.

Let me know how it goes! I see the light at the end of the tunnel!

Thanks again!

Thank you.

At this time, I’m not sure I can change settings on my systems, such as my phone, to compensate for sudden irregularities in your service. Everything worked perfectly until now.

I’m going to step back for a moment and consider other options.

Regards,

David

Sorry to hear that @geercom

2FA is very particular and has to meet a lot of standards to be correct, which is great because it provides great security.

Having the time be off even by 1 minute will cause all the codes that are provided to either be too early or too late for entry. Everything has to be in sync for 2FA to work.

The time on my phone is internet time. If the 2FA is off by a minute, is it not using internet time?

I am having similar problems and just sent a diagnostic report as well.