django-two-factor-auth icon indicating copy to clipboard operation
django-two-factor-auth copied to clipboard

Published 20 hours ago verified publisher icon jazzband

Invalid token. Please make sure you have entered it correctly

Open olivierbufalini opened this issue 6 years ago • 17 comments

After a while token are not accepted anymore even so that I am using the right code generated on Google Auth App. Whenever I enter the code I keep getting the same message : Invalid token. Please make sure you have entered it correctly

The only way to solve it, is to remove the token in the DB and re do the setup.

Your Environment

  • Browser and version: Any
  • Python version: 2.7
  • Django version: 1.10.5
  • django-otp version: 0.3.8
  • django-two-factor-auth version: 1.5.0
  • Link to your project:

olivierbufalini avatar Mar 09 '18 15:03 olivierbufalini

Without additional information, there's nothing much to look at here. I think the clock skew (drift) is stored somewhere on the OTP device, and I'm guessing here, maybe the clock of your phone and the server have drifted too much?

Bouke avatar Apr 15 '18 12:04 Bouke

hi there. I got similar problem and can't figure this out. Checking the time is the first thing to do clearly and sadly doesn't help. In a desperate hope I tried to clear cache and a session, no luck there. I didn't checked the inside of application yet so if there is some ideas what to look for next time it happened it might help.

marojenka avatar Oct 10 '18 07:10 marojenka

you figure out how to resolve this ?

lucawen avatar Nov 06 '18 20:11 lucawen

since my message I had this problem only few times on development server and wasn't able to narrow it down before it disappears, sorry.

marojenka avatar Nov 07 '18 05:11 marojenka

I having this problem in production with large scale users problens... My timezone is in Seoul, maybe is this ??

lucawen avatar Nov 23 '18 14:11 lucawen

I'm not able to reproduce this anymore. Chances are it was tied to a custom middleware that enforced login-required policy. Never happened after I added /favocon.ico (!) to exceptions list. My bad /shrug

marojenka avatar Nov 24 '18 21:11 marojenka

With bitten by this too, a warning could be added in the docs that inadvertent redirections might interfere with the process.

claudep avatar Feb 18 '19 18:02 claudep

That might be worth doing as it's not the only issue reported that was caused by this sort of misconfiguration: https://github.com/Bouke/django-two-factor-auth/issues/291

moggers87 avatar Feb 19 '19 01:02 moggers87

I also stumbled on it.

It could be caused by django_otp. The TOTPDevice Model has a ThrottlingMixin. After entering a wrong code the ThrottlingMixin could throw the error: VerifyNotAllowed.N_FAILED_ATTEMPTS. django_otp ignores the error message and only returns False as the error status. django-two-factor-auth handles the False by showing the Invalid token message.

ronnievdc avatar Jun 26 '19 08:06 ronnievdc

@ronnievdc that's by design and this bug pre-dates that feature by about a year.

moggers87 avatar Jun 26 '19 09:06 moggers87

Are there any other URLs that might be loaded that could be causing this issue for you?

moggers87 avatar Sep 22 '20 17:09 moggers87

The TOTP generated from the forms.py code (totp(key, self.step, t0, self.digits, self.drift + offset)) is diffrent from code google authenticator is showing me. Any suggestions?

kirubasankar2006 avatar Jan 07 '21 05:01 kirubasankar2006

Some more information would be helpful!

moggers87 avatar Jan 07 '21 11:01 moggers87

Hi. Below is my detail on what I have done so far. https://stackoverflow.com/questions/65540983/django-two-factor-authentication-not-working.

steps followed.

  1. Installed the packages two_factor install Django-two-factor-auth.
  2. opened the URL /account/login
  3. after entering the user name and password redirected to the QR setup page
  4. scanned QR on both Google Authenticator/ Authy (both shows
  5. when I enter the token generated by google authenticator I get the error Invalid token.

When I debug I can see that the token generated from the two_factor\forms.py is different from what I see in the google authenticator. Any help is appreciated.

kirubasankar2006 avatar Jan 07 '21 13:01 kirubasankar2006

Are the clocks on your device and your server correct? TOTP is very sensitive to clock drift and it's been my personal experience that this sort of issue is usually a case of "oh, NTP crashed on my server" :smile_cat:

moggers87 avatar Jan 07 '21 14:01 moggers87

The TOTP generated from the forms.py code (totp(key, self.step, t0, self.digits, self.drift + offset)) is diffrent from code google authenticator is showing me. Any suggestions?

You can increase the tolerance value, the token will be usable for some more time. It helped me with the same issue.

Chuchundr avatar Jan 07 '21 14:01 Chuchundr

Thank you for the reply I am trying only in the localhost now so the clock in my PC and my mobile have the same time. I have even tried to set the TIME_ZONE = 'Asia/Kolkata' which is my local time.

The TOTP generated from the forms.py code (totp(key, self.step, t0, self.digits, self.drift + offset)) is diffrent from code google authenticator is showing me. Any suggestions?

You can increase the tolerance value, the token will be usable for some more time. It helped me with the same issue. I tried this also bro. No luck.

kirubasankar2006 avatar Jan 07 '21 15:01 kirubasankar2006