2FA via App -> ERROR: Invalid Authentication Code.

  • Resolved dougjoseph

    (@dougjoseph)


    11 months, 3 weeks ago

    We have Solid Security Basic, version 9.1.0 (on WordPress version 6.4.1). We recently enabled 2FA, and I was able to use authentication via the Google Authenticator app. Then, same day, we had an issue with the site, had to restore from a backup made just prior to enabling 2FA. Then we re-enabled 2FA after the restore. Now the authentication via the Google Authenticator app is no longer working for me. I get “ERROR: Invalid Authentication Code.”

    How can I redo my authentication setup for use of the Google Authenticator app?

    • This topic was modified 11 months, 3 weeks ago by dougjoseph.
Viewing 4 replies - 1 through 4 (of 4 total)
  • Plugin Support chandelierrr

    (@shanedelierrr)

    Hi @dougjoseph, thanks for reaching out. We’re happy to help!

    TOTP-based methods are time-sensitive, so I wonder if the backup restore shifted your server’s timezone, causing the error. Can you confirm that your device and server times are in sync? Please use this guide on how to sync the times: Troubleshooting issues with Authy or Google Authenticator

    If you need help temporarily disabling Solid Security for you to access the site, please follow the instructions here: How Do I Disable All Features If I Can’t Access My Site? (remember to include the disable for 2FA). Once you’ve synced the times, remove the code snippets that disable the plugin and re-test the Mobile App 2FA method.

    If the error persists, disable the plugin again, remove the registered 2FA key from your Google Authenticator app, and go to your WP -> Users -> Profile page. From there, please scroll down to the 2FA section, scan a new QR code, and register it on your device.

    Hope this helps, and let us know how it goes!

    Thread Starter dougjoseph

    (@dougjoseph)

    Thanks. I will try to circle back after checking.

    Thread Starter dougjoseph

    (@dougjoseph)

    Is the included 2FA feature supposed to ignore subdomains and other domains in a multisite hub?

    When I created logins in the Google authenticator app, I created one for each of our sites.

    However, the 2FA feature of the plugin apparently wants to use the same secret for every single site in our multisite hub (both subdomains and domains).

    I only figured that out by noticing it while I was going to each of the sites, clicking into my profile settings within each site, and resetting the secret. I noticed that the most recent secret was overwriting all the earlier secrets on the other sites. That meant, I think, that all the previously made logins in the authenticator app, were based on an earlier secret now deleted. Thus, presumably that would mean only the latest distinct login in the authenticator app works.

    I seem to either not understand how this is supposed to work, or it’s not working right, and I’m not sure which.

    Thread Starter dougjoseph

    (@dougjoseph)

    OK, so armed with the knowledge that that the plugin seems to use the same secret for one user on all sites in a multisite hub, I tried, within the Google authenticator app, using only one login for all sites, and that seems to work for logging into all the sites. I guess I just did not understand how it was supposed to work.

    • This reply was modified 11 months, 2 weeks ago by dougjoseph.
Viewing 4 replies - 1 through 4 (of 4 total)
  • The topic ‘2FA via App -> ERROR: Invalid Authentication Code.’ is closed to new replies.