Under review

All accounts blocked: 2FA code is incorrect for every user account

Rudhra 8 months ago updated 8 months ago 5

Even for the superuser account. How is this possible? 

Last thing I did was update Filerun from its interface, Filerun is running in Docker.

I didn't notice this at first because most devices were still logged in. But as soon as login is required again, nobody can login because the 2FA code is incorrect.

Date/time of the server is correct, identical to home laptops/pc/phone.

How to get access by superuser now? That way I can reset 2FA for other users.

Worse, even resetting password does not work: after scanning the QR code and entering the generated code it immediately says code is invalid. After resetting password for a second time, scanning the QR code, entering generated code, I had access.

But since I was required to change password, I did that, logged out again, same issue: generated code invalid!

is 2FA broken with the new update?

I always use Aegis Authenticator as it is the only one that allows you to self-host its database (which I do through FileRun webDAV) and it is more user friendly than Google or Authenticator. I have never had issues with Aegis, also use it for my Google, Microsoft, Bitwarden/Vaultwarden, Firefox accounts. 

Under review

Just to exclude some early bugs, please try to apply this patch: https://feedback.filerun.com/en/communities/1/topics/1533-fantastic-new-filerun-version-available-update-now#comment-5694

And let me know if the problem persists.

A time change on the server would be the only possible explanation that comes to mind.

I'll investigate more.

Thanks, with that update applied it works again (tested 2 users)!

2FA works for me using Microsoft Authenticator (also since the new update). I could only suggest triple-checking the date/time sync down to the second. Every now and then my server drifts a few seconds and that's enough to cause 2FA to fail. For me restarting systemd-timesyncd.service always solves the issue.


Unfortunately, it stopped working again :(

I have just disabled it for now. BTW: it even fails when I login in a browser on the server itself (same time) and when I use the "Forgot password" process.

The biggest issue is that this happens with superuser account, preventing you from disabling 2FA -> means I am permanently locked out of FileRun :(

Ignore me! My server time was not set to automatic, it was behind a full minute :) Solved.