Two factor authentication with microsoft authenticator does work on local host but not on the remote domain

asked 2022-06-10T08:03:21.88+00:00
Manfred Mühlbacher 1 Reputation point

Hi,
I have an asp.net core web application setup for 2FA. Running the application via local host everything works properly.
But with the published application at the remote domain activation of 2FA fails:

  • I do get the QR (and the activation code),
  • scanning the QR with microsoft authenticator (or adding the code manually) on my phone correctly creates the account in the authenticator,
  • the authenticator shows the confirmation key,
  • but when I enter the key into my web application, I get the message that the key is invalid.

I checked the time on my phone and on the remote domain and they are synchron.

Any suggestions/help where to look for the cause will be appreciated very much.

Regards, Manu

Microsoft Authenticator
Microsoft Authenticator
A Microsoft app for iOS and Android devices that enables authentication with two-factor verification, phone sign-in, and code generation.
2,567 questions
No comments
{count} votes

1 answer

Sort by: Most helpful
  1. answered 2022-06-19T17:35:50.567+00:00
    Manfred Mühlbacher 1 Reputation point

    Hi,
    after hours of searching the net and not finding anything useful I decided to re-check time synchronization between my phone and the remote server.

    • I wrote a javascript that fetches the server time via an ajax call and displays it on a page
    • I deployed the app to the remote server and started it from there
    • And indeed I found out that the server time was 1:55 min ahead!! (I also checked several time servers which confirmed that my phone time was correct)

    When I then manually set the time of my phone to the server time, 2FA activation worked properly (the confirmation keys were accepted).
    2FA activation on local host accordingly failed (since now local server time and phone time were different).

    Since my application runs on a shared server I do not have exclusive access to the server. I wonder how I can synchronize the server time with time of a time server.
    Does anyone have a suggestion how I should go about this?

    Regards, Manu

    No comments