“Invalid MFA Token” error for one user

We are using Google Authenticator for MFA. It is working for everyone except for one user. When he scans the barcode, and enters the code, he gets “Invalid MFA Token” from the Mattermost server.

When I search for his account in the System Console, the search results show that MFA is set to “no” for his account, and so I think that may be the issue.

However, since he can’t get logged in, he can’t change it, and there doesn’t seem to be a way for me to change it either. The mmctl command only allows you to turn off MFA, not turn it on.

What device and OS and version is the affected user on?

The server is running on Ubuntu 18.04. The server version information is

Version: 5.22.0
Build Number: 5.22.1
Build Date: Thu Apr 23 14:55:48 UTC 2020
Build Hash: d0d6e33a11c5e69afc415707b23b241f101f56d6
Build Enterprise Ready: true
DB Version: 5.22.0

The user is accessing the web site, but I don’t know at the moment what OS or browser he is using.

This is typically caused by the server clock being out of sync. If it’s not your server clock causing the issue, can you check the device clock to make sure it’s using network time and is not manually set?

It is syncing the time from the network:

timedatectl status

                  Local time: Tue 2020-05-26 11:30:16 EDT
              Universal time: Tue 2020-05-26 15:30:16 UTC
                    RTC time: Tue 2020-05-26 15:30:16
                   Time zone: America/New_York (EDT, -0400)
   System clock synchronized: yes
   systemd-timesyncd.service active: yes
   RTC in local TZ: no

I even tried ntp as a test, but it still gives the same error. I have the user checking the time on his end.

The user checked, and his time appears to be correct, too.

Is it possible that just deleting his username from the system would “fix” this by totally resetting everything for him?

Hi, @mvanhorn.

When you mentioned that the user checked and verified that the time appears to be correct, do you mean that it is the same as any of the following?

For reference, the time drift issue is related to the following:

As of now, I don’t think it will be a good idea to just run the mattermost user delete as the problem might just return back when the MFA is set up again especially when it is only impacting one user. Let’s understand the issue first before doing that.

Can you run the command below and verify that the MfaActive is set to 0?

SELECT Username, AuthData, AuthService, Email, MfaActive FROM Users WHERE Username = "<username>"\G

If yes, can you reset the MFA for this user by running the command mattermost user resetmfa first to see if it makes a difference when the user tries to log in again?

MfaActive was indeed set to 0 for this user. Just to see, I set it to 1, and he was able to get in without being prompted, until he logged out, and then he was having the same issue with the code being considered invalid.

So, I have now set MfaActive back to 0, and did a “mattermost user resetmfa” (again) and I’ll have him try again.

Since he hadn’t gotten into the system before, I did try deleting his account (this was before I played with the MfaActive field), but that didn’t make any difference, either.

Is there anything he should be checking on his end? He had also been using a Mattermost installation at another site, and now he’s getting the same “invalid code” error when he tries to login to that site, too.

Well, for whatever reason, this second “user resetmfa” worked, at least for our installation.

Thank you!

1 Like