All 2FA keys incorrect #1048

New Issue

Closed

opened 2025-11-07 06:56:00 -06:00 by GiteaMirror · 6 comments

GiteaMirror commented 2025-11-07 06:56:00 -06:00

Owner

Copy Link

Originally created by @opicron on GitHub (Jun 10, 2021).

Subject of the issue

edit: not sure if I should list this here or at the official Bitwarden
Generated TOPT 2FA keys do not match Google Authenticator

Deployment environment

Synology Docker

• vaultwarden version:
  1.21.0

• Install method:
  Docker image

• Clients used:
  n/a - Desktop/Webvault

Steps to reproduce

I checked the date on Synology and Docker container, that is correct.
All of the 2FA keys which have not changed in the last weeks are incorrect. Yesterday they were working fine.
The resulting generated keys are now no longer the same as my backups in Google Authenticator.

Expected behaviour

I expect the same generated keys as in Google Authenticator

Actual behaviour

They are different and now no longer work as 2FA.

Originally created by @opicron on GitHub (Jun 10, 2021). ### Subject of the issue edit: *not sure if I should list this here or at the official Bitwarden* Generated TOPT 2FA keys do not match Google Authenticator ### Deployment environment Synology Docker * vaultwarden version: 1.21.0 * Install method: Docker image * Clients used: n/a - Desktop/Webvault ### Steps to reproduce I checked the date on Synology and Docker container, that is correct. All of the 2FA keys which have not changed in the last weeks are incorrect. Yesterday they were working fine. The resulting generated keys are now no longer the same as my backups in Google Authenticator. ### Expected behaviour I expect the same generated keys as in Google Authenticator ### Actual behaviour They are different and now no longer work as 2FA.

GiteaMirror closed this issue 2025-11-07 06:56:00 -06:00

GiteaMirror commented 2025-11-07 06:56:01 -06:00

Author

Owner

Copy Link

@omueller commented on GitHub (Jun 10, 2021):

Hi @opicron, have you changed something in the mean time (if it was working fine before, or it is a new installation) ? You wrote you checked the date, but is the time really correct on second level on all devices (synology, vaultwarden/docker, google auth device) ? And is everything green also under /admin/diagnostics ?

@omueller commented on GitHub (Jun 10, 2021): Hi @opicron, have you changed something in the mean time (if it was working fine before, or it is a new installation) ? You wrote you checked the date, but is the time really correct on second level on all devices (synology, vaultwarden/docker, google auth device) ? And is everything green also under /admin/diagnostics ?

GiteaMirror commented 2025-11-07 06:56:01 -06:00

Author

Owner

Copy Link

@BlackDex commented on GitHub (Jun 10, 2021):

Please check the /admin/diagnostics page and check the time.
Also, post the Support String which you can generate over there.

@BlackDex commented on GitHub (Jun 10, 2021): Please check the `/admin/diagnostics` page and check the time. Also, post the `Support String` which you can generate over there.

GiteaMirror commented 2025-11-07 06:56:01 -06:00

Author

Owner

Copy Link

@opicron commented on GitHub (Jun 10, 2021):

Thank you for swift response. I think this is correct:

Date & Time (Local)
    Server: 2021-06-10 13:04:43 +00:00 
Date & Time (UTC) Ok
    Server: 2021-06-10 13:04:43 UTC 
    Browser: 2021-06-10 12:58:31 UTC

Support string:

### Your environment (Generated via diagnostics page)
* Vaultwarden version: v1.21.0
* Web-vault version: v2.19.0d
* Running within Docker: true
* Uses a reverse proxy: true
* IP Header check: true (X-Real-IP)
* Internet access: true
* Internet access via a proxy: false
* DNS Check: true
* Time Check: true
* Domain Configuration Check: false
* HTTPS Check: true
* Database type: SQLite
* Database version: 3.33.0
* Clients used: 
* Reverse proxy and version: 
* Other relevant information: 

### Config (Generated via diagnostics page)
json
{
  "_duo_akey": null,
  "_enable_duo": false,
  "_enable_email_2fa": true,
  "_enable_smtp": true,
  "_enable_yubico": true,
  "_ip_header_enabled": true,
  "admin_token": "***",
  "allowed_iframe_ancestors": "",
  "attachments_folder": "data/attachments",
  "authenticator_disable_time_drift": false,
  "data_folder": "data",
  "database_max_conns": 10,
  "database_url": "****/**.*******",
  "db_connection_retries": 15,
  "disable_2fa_remember": false,
  "disable_admin_token": false,
  "disable_icon_download": false,
  "domain": "*****://****.*******.**:****",
  "domain_origin": "*****://****.*******.**:****",
  "domain_path": "",
  "domain_set": true,
  "duo_host": null,
  "duo_ikey": null,
  "duo_skey": null,
  "email_attempts_limit": 3,
  "email_expiration_time": 600,
  "email_token_size": 6,
  "enable_db_wal": true,
  "extended_logging": true,
  "helo_name": null,
  "hibp_api_key": null,
  "icon_blacklist_non_global_ips": true,
  "icon_blacklist_regex": null,
  "icon_cache_folder": "data/icon_cache",
  "icon_cache_negttl": 259200,
  "icon_cache_ttl": 2592000,
  "icon_download_timeout": 10,
  "invitation_org_name": "Vaultwarden",
  "invitations_allowed": true,
  "ip_header": "X-Real-IP",
  "job_poll_interval_ms": 30000,
  "log_file": "/data/bitwarden.log",
  "log_level": "warn",
  "log_timestamp_format": "%Y-%m-%d %H:%M:%S.%3f",
  "org_attachment_limit": null,
  "org_creation_users": "",
  "password_iterations": 100000,
  "reload_templates": false,
  "require_device_email": false,
  "rsa_key_filename": "data/rsa_key",
  "send_purge_schedule": "0 5 * * * *",
  "sends_folder": "data/sends",
  "show_password_hint": true,
  "signups_allowed": true,
  "signups_domains_whitelist": "",
  "signups_verify": false,
  "signups_verify_resend_limit": 6,
  "signups_verify_resend_time": 3600,
  "smtp_accept_invalid_certs": false,
  "smtp_accept_invalid_hostnames": false,
  "smtp_auth_mechanism": null,
  "smtp_debug": false,
  "smtp_explicit_tls": false,
  "smtp_from": "****@******.****",
  "smtp_from_name": "Vaultwarden",
  "smtp_host": "****.*********.***",
  "smtp_password": "***",
  "smtp_port": 587,
  "smtp_ssl": true,
  "smtp_timeout": 15,
  "smtp_username": "****@******.****",
  "templates_folder": "data/templates",
  "trash_auto_delete_days": null,
  "trash_purge_schedule": "0 5 0 * * *",
  "use_syslog": false,
  "user_attachment_limit": null,
  "web_vault_enabled": true,
  "web_vault_folder": "web-vault/",
  "websocket_address": "0.0.0.0",
  "websocket_enabled": false,
  "websocket_port": 3012,
  "yubico_client_id": null,
  "yubico_secret_key": null,
  "yubico_server": null
}

@opicron commented on GitHub (Jun 10, 2021): Thank you for swift response. I think this is correct: ``` Date & Time (Local) Server: 2021-06-10 13:04:43 +00:00 Date & Time (UTC) Ok Server: 2021-06-10 13:04:43 UTC Browser: 2021-06-10 12:58:31 UTC ``` Support string: ``` ### Your environment (Generated via diagnostics page) * Vaultwarden version: v1.21.0 * Web-vault version: v2.19.0d * Running within Docker: true * Uses a reverse proxy: true * IP Header check: true (X-Real-IP) * Internet access: true * Internet access via a proxy: false * DNS Check: true * Time Check: true * Domain Configuration Check: false * HTTPS Check: true * Database type: SQLite * Database version: 3.33.0 * Clients used: * Reverse proxy and version: * Other relevant information: ### Config (Generated via diagnostics page) json { "_duo_akey": null, "_enable_duo": false, "_enable_email_2fa": true, "_enable_smtp": true, "_enable_yubico": true, "_ip_header_enabled": true, "admin_token": "***", "allowed_iframe_ancestors": "", "attachments_folder": "data/attachments", "authenticator_disable_time_drift": false, "data_folder": "data", "database_max_conns": 10, "database_url": "****/**.*******", "db_connection_retries": 15, "disable_2fa_remember": false, "disable_admin_token": false, "disable_icon_download": false, "domain": "*****://****.*******.**:****", "domain_origin": "*****://****.*******.**:****", "domain_path": "", "domain_set": true, "duo_host": null, "duo_ikey": null, "duo_skey": null, "email_attempts_limit": 3, "email_expiration_time": 600, "email_token_size": 6, "enable_db_wal": true, "extended_logging": true, "helo_name": null, "hibp_api_key": null, "icon_blacklist_non_global_ips": true, "icon_blacklist_regex": null, "icon_cache_folder": "data/icon_cache", "icon_cache_negttl": 259200, "icon_cache_ttl": 2592000, "icon_download_timeout": 10, "invitation_org_name": "Vaultwarden", "invitations_allowed": true, "ip_header": "X-Real-IP", "job_poll_interval_ms": 30000, "log_file": "/data/bitwarden.log", "log_level": "warn", "log_timestamp_format": "%Y-%m-%d %H:%M:%S.%3f", "org_attachment_limit": null, "org_creation_users": "", "password_iterations": 100000, "reload_templates": false, "require_device_email": false, "rsa_key_filename": "data/rsa_key", "send_purge_schedule": "0 5 * * * *", "sends_folder": "data/sends", "show_password_hint": true, "signups_allowed": true, "signups_domains_whitelist": "", "signups_verify": false, "signups_verify_resend_limit": 6, "signups_verify_resend_time": 3600, "smtp_accept_invalid_certs": false, "smtp_accept_invalid_hostnames": false, "smtp_auth_mechanism": null, "smtp_debug": false, "smtp_explicit_tls": false, "smtp_from": "****@******.****", "smtp_from_name": "Vaultwarden", "smtp_host": "****.*********.***", "smtp_password": "***", "smtp_port": 587, "smtp_ssl": true, "smtp_timeout": 15, "smtp_username": "****@******.****", "templates_folder": "data/templates", "trash_auto_delete_days": null, "trash_purge_schedule": "0 5 0 * * *", "use_syslog": false, "user_attachment_limit": null, "web_vault_enabled": true, "web_vault_folder": "web-vault/", "websocket_address": "0.0.0.0", "websocket_enabled": false, "websocket_port": 3012, "yubico_client_id": null, "yubico_secret_key": null, "yubico_server": null } ```

GiteaMirror commented 2025-11-07 06:56:01 -06:00

Author

Owner

Copy Link

@BlackDex commented on GitHub (Jun 10, 2021):

It looks to me like either server or your host is drifting time. They are too much apart.
12:58:31 and 13:04:43 are more than 6 minutes difference.

I'm not sure which is wrong, it could even be both. Try to enable NTP or something on the docker host.

@BlackDex commented on GitHub (Jun 10, 2021): It looks to me like either server or your host is drifting time. They are too much apart. 12:58:31 and 13:04:43 are more than 6 minutes difference. I'm not sure which is wrong, it could even be both. Try to enable NTP or something on the docker host.

GiteaMirror commented 2025-11-07 06:56:02 -06:00

Author

Owner

Copy Link

@opicron commented on GitHub (Jun 10, 2021):

The synology host is updated by Google NTP. Docker has same time. I now see that only the firefox plugin is incorrect. The iPhone bitwarden shows the correct keys. I would expect that the Firefox plugin doesnt use the local time, I think my expectation is incorrect.

I will mark as closed now, especially seeing nobody else is having issues. Sorry.

@opicron commented on GitHub (Jun 10, 2021): The synology host is updated by Google NTP. Docker has same time. I now see that only the firefox plugin is incorrect. The iPhone bitwarden shows the correct keys. I would expect that the Firefox plugin doesnt use the local time, I think my expectation is incorrect. I will mark as closed now, especially seeing nobody else is having issues. Sorry.

GiteaMirror commented 2025-11-07 06:56:02 -06:00

Author

Owner

Copy Link

@BlackDex commented on GitHub (Jun 10, 2021):

@opicron Then it looks like your client (where you are running Firefox on) is not having the correct time as seen there is more then 6 minutes time difference. I would try to enable or verify the NTP state of you client (laptop/desktop/rpi, whatever)

@BlackDex commented on GitHub (Jun 10, 2021): @opicron Then it looks like your client (where you are running Firefox on) is not having the correct time as seen there is more then 6 minutes time difference. I would try to enable or verify the NTP state of you client (laptop/desktop/rpi, whatever)

GiteaMirror referenced this issue 2025-11-07 07:53:26 -06:00

[PR #1048] [MERGED] Add startup script to support init operations #2731

GiteaMirror referenced this issue 2026-03-07 21:00:09 -06:00

[PR #1048] [MERGED] Add startup script to support init operations #6508

Sign in to join this conversation.

No Branch/Tag Specified

Branches Tags

main

cached-config-operations

test_dylint

1.35.4

1.35.3

1.35.2

1.35.1

1.35.0

1.34.3

1.34.2

1.34.1

1.34.0

1.33.2

1.33.1

1.33.0

1.32.7

1.32.6

1.32.5

1.32.4

1.32.3

1.32.2

1.32.1

1.32.0

1.31.0

1.30.5

1.30.4

1.30.3

1.30.2

1.30.1

1.30.0

1.29.2

1.29.1

1.29.0

1.28.1

1.28.0

1.27.0

1.26.0

1.25.2

1.25.1

1.25.0

1.24.0

1.23.1

1.23.0

1.22.2

1.22.1

1.22.0

1.21.0

1.20.0

1.19.0

1.18.0

1.17.0

1.16.3

1.16.2

1.16.1

1.16.0

1.15.1

1.15.0

1.14.2

1.14.1

1.14

1.13.1

1.13.0

1.12.0

1.11.0

1.10.0

1.9.1

1.9.0

1.8.0

1.7.0

1.6.1

1.6.0

1.5.0

1.4.0

1.3.0

1.2.0

1.1.0

1.0.0

0.13.0

0.12.0

0.11.0

0.10.0

0.9.0

Labels

Clear labels

better for forum

bug

documentation

duplicate

enhancement

future Vault

good first issue

help wanted

low priority

notes

pull-request

Mirrored from GitHub Pull Request

question

SSO

Third party

troubleshooting

wontfix

No Label

Milestone

No items

No Milestone

Projects

Clear projects

No project

Assignees

Clear assignees

GiteaMirror ninjasurge

No Assignees

1 Participants

Notifications

Subscribe

Due Date

No due date set.

Dependencies

No dependencies set.

Reference: github-starred/vaultwarden#1048