What to do if Google authenticator always gives wrong codes


    Good day.
    I would like to tell you about 2FA authentication problems on Android 4.4.2 KitKat devices and about a solution that in our case stopped the long searches.

    Some time ago, my colleagues and I decided to add Two-factor authentication (for short, 2FA) for our small office server based on Ubuntu Server.

    2FA is an additional level of security and a nice addition to the existing authentication mechanism. In addition to the usual login + password pair from the user performing authorization, a digital key is required, which dynamically changes every 30 seconds and is generated by the device owned by the user. To generate the key, we used the Google authenticator appand an Android mobile phone. After a one-time setup, the application generates codes having a lifetime of 30 seconds, the exact same codes are generated by the server. During authentication, the codes are compared.

    Since the data is not transmitted from the server and stored only on the device, this mechanism is more secure than sending confirmation codes (for example, as 3D-secure SMS confirmation in banking systems).


    There were unexpectedly a lot of step-by-step instructions on server settings on the network. Everything is very simple and intelligible in them. I was guided by this article .

    After the server settings, they installed the Google Authenticator application on the Lenovo p780 phone , “read” the QR-code from the monitor and received the coveted digits for authorization. Before rebooting SSH, do not forget to save backup keys to restore access .

    And now, everything is ready to use! We reboot SSH, go to the server, specify the password, after the password we are asked to present the Verification code, we rewrite it from the phone and ... again they ask for the password? !!! It looks like this:
    ssh user@server.ru
    Password: <enter the password>
    Verification code: <enter the code from the phone>
    Password: Verification code: <enter the code from the phone> Password: <re-enter the password> Verification code: <re-enter the code> user @ server.ru's password: <password again> Permission denied, please try again. user@server.ru's password: <re-enter password> Received disconnect from xx.xxx.xx.xx: 2: Too many authentication failures for user








    At first, they thought that a mistake was made in the settings, but after trying several mobile devices, it became obvious that the codes generated on Android 4.4.2 KitKat by Google Authenticator were always wrong .

    "Solutions" that were found and their results:


    1. If you roll back the version of Android, it starts working correctly. (they worked with this “solution” for a while, but decided to move on)
    2. Since the problem boils down to incorrect time zones, many solutions are aimed specifically at correcting them. The TimeZone Fixer application can really help with this problem, however, some applications after using it begin to display the wrong time and you will need to repair them manually. (The solution has its drawbacks and risks. All information about the application is available on w3bsit3-dns.com )
    3. Adjust the time manually. To be honest, this method did not work for us. Set the clock manually and thereby synchronize the time on the phone and server. Alas, all attempts failed, although there were people who claimed that they had earned. In any case, the prospect of losing the watch function in the phone is not the most pleasant ...
    4. Clock synchronization inside the settings of the Google authenticator application (in our case, without results, however, there were comments that someone helped)


    Final Solution: FreeOTP


    During the search for a solution on the network, I already stumbled upon the GitHub of the Google Authenticator application , there is ours in the error tracking, and as a solution it was suggested:
    "You can used FreeOTP Authenticator (by Red Hat) instead of Google Authenticator until someone fix it."


    For a long time, it seemed to me that it was recommended to use a different authenticator mechanism, which should be put on the server instead of Google, so I diligently searched for other solutions. I wanted to make Google authenticator work, but in fact they recommend using another Android application, and the server side remains unchanged. RedOTP Authenticator FreeOTP

    App . After setting up the same QR code, everything started working without the need to correct anything.

    Unfortunately, I can’t tell you the reason for the error in the Google authenticator application, but I hope that my sad experience will save someone’s time.

    I will be glad to your comments! Thanks for attention.

    Also popular now: