2FA with OTP broken after restoring from Backup

I moved my Discourse from my personal PC to an “always on” Server, both in the same network. Created a fresh docker with discourse and then restored the backup as shown here: Restore a backup from command line

Everything is fine but login for users who activated 2FA with OTP. I’m using AndOTP on Android and the OTP was no longer valid. Also, creating a new 2FA-Token is impossible, because the token created by the app is not accepted by Discourse. So somehow, even tho I just scanned the QR-Code, the created token is no longer correct.

I assume I did something wrong?

1 Like

To narrow down the problem: I have just tried securing my account with a Yubikey, and that worked just fine.

It’s only OTP.

1 Like

Have you tried deleting the OTP records before recreating new ones? See this post for help Disable 2FA via console - howto / sysadmin - Discourse Meta

2 Likes

No, I didn’t - so thank you for that. I had helped myself by creating a new admin user and logging in as this user and using the web interface to disable 2FA for the affected users.

I have now followed your link (thank you for that) and it worked insofar that my 2FA with a YubiKey has been disabled.

But using 2FA with OTP again? No. I can’t add an authenticator app, because after scanning the QR-Code, the generated token is not valid. Which was NOT a problem on the original instance.

Oh, I haven’t seen this recently, what version of Discourse are you currently running?

maybe some time discrepancy between server and client ?

5 Likes

Both versions (source of the backup and the system the backup was restored to) are 2.8.0.beta1

I will check that tomorrow - I don’t have access to the system today. That might be the problem, but I’m reasonably sure that ntp is active and should correct the internal clock of the server.

2 Likes

You were right, that solved my problem. While ntp was installed, the time discrepancy was so large that ntp was no longer correcting it. I have now forced the sync and OTP works again.

5 Likes