We are using Google Authenticator for MFA. It is working for everyone except for one user. When he scans the barcode, and enters the code, he gets “Invalid MFA Token” from the Mattermost server.
When I search for his account in the System Console, the search results show that MFA is set to “no” for his account, and so I think that may be the issue.
However, since he can’t get logged in, he can’t change it, and there doesn’t seem to be a way for me to change it either. The mmctl command only allows you to turn off MFA, not turn it on.
This is typically caused by the server clock being out of sync. If it’s not your server clock causing the issue, can you check the device clock to make sure it’s using network time and is not manually set?
Local time: Tue 2020-05-26 11:30:16 EDT
Universal time: Tue 2020-05-26 15:30:16 UTC
RTC time: Tue 2020-05-26 15:30:16
Time zone: America/New_York (EDT, -0400)
System clock synchronized: yes
systemd-timesyncd.service active: yes
RTC in local TZ: no
I even tried ntp as a test, but it still gives the same error. I have the user checking the time on his end.
As of now, I don’t think it will be a good idea to just run the mattermost user delete as the problem might just return back when the MFA is set up again especially when it is only impacting one user. Let’s understand the issue first before doing that.
Can you run the command below and verify that the MfaActive is set to 0?
SELECT Username, AuthData, AuthService, Email, MfaActive FROM Users WHERE Username = "<username>"\G
If yes, can you reset the MFA for this user by running the command mattermost user resetmfa first to see if it makes a difference when the user tries to log in again?
MfaActive was indeed set to 0 for this user. Just to see, I set it to 1, and he was able to get in without being prompted, until he logged out, and then he was having the same issue with the code being considered invalid.
So, I have now set MfaActive back to 0, and did a “mattermost user resetmfa” (again) and I’ll have him try again.
Since he hadn’t gotten into the system before, I did try deleting his account (this was before I played with the MfaActive field), but that didn’t make any difference, either.
Is there anything he should be checking on his end? He had also been using a Mattermost installation at another site, and now he’s getting the same “invalid code” error when he tries to login to that site, too.