Unable to sign into web interface (Invalid TOTP code)

zoof · January 22, 2024, 10:07pm

I seem to be unable to use any form of configured 2fa right now and am not sure what the problem is. Neither my Yubikey 4 nor my Authy verification codes work. Following is the support string for my docker-compose instance. My desktop app and browser plugin continue to work fine. I could reset my 2fa but I am very concerned that I will not longer be able to access my passwords on any machine. Many thanks in advance for any suggestions.

### Your environment (Generated via diagnostics page)
* Vaultwarden version: v1.30.1
* Web-vault version: v2023.10.0
* OS/Arch: linux/x86_64
* Running within Docker: true (Base: Debian)
* Environment settings overridden: true
* Uses a reverse proxy: true
* IP Header check: true (X-Real-IP)
* Internet access: true
* Internet access via a proxy: false
* DNS Check: true
* Browser/Server Time Check: true
* Server/NTP Time Check: true
* Domain Configuration Check: true
* HTTPS Check: true
* Database type: SQLite
* Database version: 3.44.0
* Clients used: 
* Reverse proxy and version: 
* Other relevant information: 

### Config (Generated via diagnostics page)
<details><summary>Show Running Config</summary>

**Environment settings which are overridden:** DOMAIN, SIGNUPS_ALLOWED, ADMIN_TOKEN, YUBICO_CLIENT_ID, YUBICO_SECRET_KEY, SMTP_HOST, SMTP_PORT, SMTP_FROM, SMTP_FROM_NAME, SMTP_USERNAME, SMTP_PASSWORD


```json
{
  "_duo_akey": null,
  "_enable_duo": false,
  "_enable_email_2fa": true,
  "_enable_smtp": true,
  "_enable_yubico": true,
  "_icon_service_csp": "",
  "_icon_service_url": "",
  "_ip_header_enabled": true,
  "_smtp_img_src": "cid:",
  "admin_ratelimit_max_burst": 3,
  "admin_ratelimit_seconds": 300,
  "admin_session_lifetime": 20,
  "admin_token": "***",
  "allowed_iframe_ancestors": "",
  "attachments_folder": "data/attachments",
  "auth_request_purge_schedule": "30 * * * * *",
  "authenticator_disable_time_drift": false,
  "data_folder": "data",
  "database_conn_init": "",
  "database_max_conns": 10,
  "database_timeout": 30,
  "database_url": "***************",
  "db_connection_retries": 15,
  "disable_2fa_remember": false,
  "disable_admin_token": false,
  "disable_icon_download": false,
  "domain": "*****://**********",
  "domain_origin": "*****://**********",
  "domain_path": "",
  "domain_set": true,
  "duo_host": null,
  "duo_ikey": null,
  "duo_skey": null,
  "email_attempts_limit": 3,
  "email_change_allowed": true,
  "email_expiration_time": 600,
  "email_token_size": 6,
  "emergency_access_allowed": true,
  "emergency_notification_reminder_schedule": "0 3 * * * *",
  "emergency_request_timeout_schedule": "0 7 * * * *",
  "enable_db_wal": true,
  "event_cleanup_schedule": "0 10 0 * * *",
  "events_days_retain": null,
  "extended_logging": true,
  "helo_name": null,
  "hibp_api_key": null,
  "icon_blacklist_non_global_ips": true,
  "icon_blacklist_regex": null,
  "icon_cache_folder": "data/icon_cache",
  "icon_cache_negttl": 259200,
  "icon_cache_ttl": 2592000,
  "icon_download_timeout": 10,
  "icon_redirect_code": 302,
  "icon_service": "internal",
  "incomplete_2fa_schedule": "30 * * * * *",
  "incomplete_2fa_time_limit": 3,
  "invitation_expiration_hours": 120,
  "invitation_org_name": "Bitwarden_RS",
  "invitations_allowed": true,
  "ip_header": "X-Real-IP",
  "job_poll_interval_ms": 30000,
  "log_file": "/data/vaultwarden.log",
  "log_level": "Info",
  "log_timestamp_format": "%Y-%m-%d %H:%M:%S.%3f",
  "login_ratelimit_max_burst": 10,
  "login_ratelimit_seconds": 60,
  "org_attachment_limit": null,
  "org_creation_users": "",
  "org_events_enabled": false,
  "org_groups_enabled": false,
  "password_hints_allowed": true,
  "password_iterations": 100000,
  "push_enabled": false,
  "push_installation_id": "***",
  "push_installation_key": "***",
  "push_relay_uri": "https://push.bitwarden.com",
  "reload_templates": false,
  "require_device_email": false,
  "rsa_key_filename": "data/rsa_key",
  "send_purge_schedule": "0 5 * * * *",
  "sendmail_command": null,
  "sends_allowed": true,
  "sends_folder": "data/sends",
  "show_password_hint": true,
  "signups_allowed": false,
  "signups_domains_whitelist": "",
  "signups_verify": false,
  "signups_verify_resend_limit": 0,
  "signups_verify_resend_time": 3600,
  "smtp_accept_invalid_certs": false,
  "smtp_accept_invalid_hostnames": false,
  "smtp_auth_mechanism": null,
  "smtp_debug": false,
  "smtp_embed_images": true,
  "smtp_explicit_tls": false,
  "smtp_from": "*****************",
  "smtp_from_name": "Bitwarden_RS",
  "smtp_host": "********************",
  "smtp_password": "***",
  "smtp_port": 587,
  "smtp_security": "starttls",
  "smtp_ssl": true,
  "smtp_timeout": 15,
  "smtp_username": "***********",
  "templates_folder": "data/templates",
  "tmp_folder": "data/tmp",
  "trash_auto_delete_days": null,
  "trash_purge_schedule": "0 5 0 * * *",
  "use_sendmail": false,
  "use_syslog": false,
  "user_attachment_limit": null,
  "web_vault_enabled": true,
  "web_vault_folder": "web-vault/",
  "websocket_address": "0.0.0.0",
  "websocket_enabled": true,
  "websocket_port": 3012,
  "yubico_client_id": "61175",
  "yubico_secret_key": "***",
  "yubico_server": null
}

```

BlackDex · January 22, 2024, 10:42pm

If this happens on only one device, i would almost think that device is not configured correctly or skewed too much for the current date/time.

Double check the device for it’s date/time. Since for both methods you mentioned date/time is a factor.

zoof · January 22, 2024, 11:45pm

I’ve now tried from three devices, two laptops and a headless box using bw-cli. I’ve also checked the times and they are the same. The server on which VaultWarden is running had the docker instance restarted and the server itself was rebooted but I’m still unable to sign in.

BlackDex · January 23, 2024, 12:19am

If this happened after restarts and reboots, i would check if the storage isn’t gone or something wrong with it.

You are using sqlite, so that should be stored locally on the disk/volume

Because it sounds like the database was created again and blank right now.

zoof · January 23, 2024, 12:59am

It doesn’t look like it:

# ls -l
total 22840
drwxr-xr-x 2 root root     4096 May 23  2022 attachments
-rw-r--r-- 1 root root     1458 Jun 29  2021 config.json
-rw------- 1 root root  2531328 Jan 22 16:51 db.sqlite3
-rw------- 1 root root    32768 Jan 22 19:56 db.sqlite3-shm
-rw------- 1 root root   164832 Jan 22 19:56 db.sqlite3-wal
drwx------ 2 root root    36864 Jan 22 19:56 icon_cache
-rw------- 1 root root     1193 Jan 16  2021 rsa_key.der
-rw------- 1 root root     1679 Jan 16  2021 rsa_key.pem
-rw------- 1 root root      270 Jan 16  2021 rsa_key.pub.der
-rw-r--r-- 1 root root      451 Jun 29  2021 rsa_key.pub.pem
drwxr-xr-x 2 root root     4096 May 23  2022 sends
drwxr-xr-x 2 root root     4096 May 23  2022 tmp
-rw-r--r-- 1 root root 20568511 Jan 22 19:56 vaultwarden.log

BlackDex · January 23, 2024, 5:24pm

Check the logs of Vaultwarden

zoof · January 23, 2024, 6:34pm

This is what it shows for a login attempt:

[2024-01-23 13:31:36.365][request][INFO] GET /api/devices/knowndevice
[2024-01-23 13:31:36.368][response][INFO] (get_known_device) GET /api/devices/knowndevice => 200 OK
[2024-01-23 13:31:47.320][request][INFO] POST /identity/accounts/prelogin
[2024-01-23 13:31:47.321][response][INFO] (prelogin) POST /identity/accounts/prelogin => 200 OK
[2024-01-23 13:31:47.361][request][INFO] POST /identity/connect/token
[2024-01-23 13:31:47.382][error][ERROR] 2FA token not provided
[2024-01-23 13:31:47.382][response][INFO] (login) POST /identity/connect/token => 400 Bad Request
[2024-01-23 13:32:21.353][request][INFO] POST /identity/connect/token
[2024-01-23 13:32:21.376][vaultwarden::api::core::two_factor::authenticator][ERROR] Invalid TOTP code! Server time: 2024-01-23 18:32:21 UTC IP: 98.233.171.119
[2024-01-23 13:32:21.377][response][INFO] (login) POST /identity/connect/token => 400 Bad Request

For what it is worth, another user is able to use their 2fa to sign in. Moreover, I have now tried on 5 different boxes from various locations, including from the server itself.

BlackDex · January 23, 2024, 8:29pm

So, other users are able to use 2fa? But you aren’t?
That seems to be strange.

zoof · January 23, 2024, 8:30pm

Well, at least one other user. Yes, it is very strange.

zoof · January 24, 2024, 3:55pm

I guess I should make sure I have an up-to-date backup of everything – this is tedious because without access to the web interface, Organizations can only be manually backed up by copy and pasting. And then “Remove all 2FA” for my account using the admin panel and hope for the best.

zoof · January 24, 2024, 6:09pm

Phew! Removed all 2FA with no loss of data.

Topic		Replies	Views
2FA OTP Error with Yubikey 5C NFC Help	2	1121	October 11, 2022
Invalid Yubikey OTP provided Help	2	1021	December 26, 2022
[SOLVED] "error saving twofactor"? Help	0	768	August 3, 2021
Cannot register Yubikeys for FIDO2 WebAuthn Help	1	1595	September 21, 2022
FIDO2 WebAuthn 2FA problem - Webauth Error: NotAllowed Error Help	0	1017	July 14, 2021

Unable to sign into web interface (Invalid TOTP code)

Related Topics