TOTP Authentication failure - Invalid Password for two-factor authentication using Google/Microsoft 2FA

03/26/2020 31 4432

DESCRIPTION:

Users might face this issue sometimes while trying to log in to the SMA/UTM to initiate either an SSL VPN client based or a web based connection. After completing the first step of authentication(LDAP or Local) the user will be presented with another window where they will be required to enter the code from their 2FA App. The second authentication method would fail in some cases due to the reason that is described in this article.

CAUSE:

This has been observed when the appliance or the user device/App and their correct time/time zone are not in sync. TOTP is an algorithm that computes a one-time password from a shared secret key(this is done in the form of a QRCode) and the current time. Therefore, it is very important to make sure that the SMA/UTM appliances and the end user devices/Apps are set to the right time and date. 

RESOLUTION:

First, as mentioned above make sure the SMA/UTM appliance is set to the right date and time. Go to the web UI, record the time, date and timezone.
You can go to either one of these websites : https://time.is/time_zones or https://www.timeanddate.com/time/map/ and you can select the timezone and set the same on the appliances accordingly. Please correct the time using NTP settings or set the time manually.

If the appliance time settings are right. Please make sure the Mobile Phone App is set to the right date and time. For example, if you use Google Authenticator:

Make sure that the time on your Google Authenticator App is correctly in sync:

On Android
1) Go to the main menu on the Google Authenticator application
2) Tap More -> Settings
3) Tap Time correction for codes
4) Tap Sync now
5) On the next screen, the application will confirm that the time has been synced, and now you should be able to use your verification codes to sign in or bind. The sync will only affect the internal time of your Google Authenticator application and will not change your device’s Date & Time settings.

On iOS

1) Go to the iPhone Settings App (your phone settings area)
2) Select General
3) Select Date & Time
4) Enable Set Automatically
5) If it is already enabled, disable it, wait a few seconds and re-enable

After that, you can use the code on Google Authenticator App or bind it again.