Redmine

I cannot reproduce the issue for now.

You can forcefully disable two-factor authentication if you can access the console of your Redmine server. Please follow the steps below:

Go go the installation directory of Redmine and start a Rails console.

cd path/to/redmine
bin/rails c -e production

Enter the following lines in the Rails console. The example below disables two-factor authentication for the user 'jsmith'.

user = User.find_by(login: 'jsmith')
require 'redmine/twofa/base'
twofa = Redmine::Twofa::Base.new(user)
twofa.destroy_pairing_without_verify!
exit

Hi,

I figured it out.

$ mysql -u myredmineuser -p
Enter password: myredminepassword
MariaDB [(none)]> use redmine
MariaDB [redmine]> update settings set value = 0 where name = 'twofa';

I can login to my Redmine site again. :)

It is very strange that the 2fa setting page won't accept any code from Google Authenticator & Authy.

ChunChang Lo wrote:

It is very strange that the 2fa setting page won't accept any code from Google Authenticator & Authy.

Are the clocks of your devices correct?

Go MAEDA wrote:

Are the clocks of your devices correct?

yes, the system time (iphone & pc) is the same. (ntp to the same timezone, Taipei UTC+8).

just tried again, and both google authenticator & authy are failed (the 2fa settings page doesn't accept codes from the app).

the error message is the same as '2022-03-21_20-22-07.png'.

BTW, the redmine server uses UTC & all admin accounts uses Taipei UTC+8 in the account's preferences.

It seems I have the same issue, I am on 4.2.3-stable.

I never had any issues, and now it seems people cannot longer activate 2FA: Code is invalid or outdated.

I observe it DOES work when 2FA is optional and users are using the account settings. If 2FA is required, and users get the forced 2FA prompt, it doesn't work.

I also notice, it does seem to work on my test environment (other servers, same Redmine version). ROTP gem is 6.2.0, other gems are the same version.
Both servers are on CEST and time synced. (Could DST play a role? We activated most accounts before summer time)

Could someone point me in a direction?

Correction:
The behavior on production seems to be the same for manual or forced 2FA activation.

This morning, multiple users were unable to activate 2FA, and now it only blocks from time to time.
This resembles a time sync issue... but all devices / servers are synchronized perfectly. Timezone is CEST (Belgium)

I tried again on my test environment, same behavior. The code is not working from time to time... but independently of the moment I use the code (beginning, middle or end of the 30 second timeframe)

Could this be a Google Authenticator issue?