2FA issue

[stanthewizzard]

Hello

2FA was working well.
Now I'm unable to login.
Through shell I reseted my root pass. Disabling 2FA.
I can login.

Reverted my root password to the old password. Logout. Login without issue.
Enable 2FA (stored in authy and 1password) using QRcode.
I can't login anymore

Thanks for help

 

[Fred974]

@stanthewizzard I have the same issue. Did you managed to find a solution? Could you please tell me the command to disable 2fa via command line?

Thank you

 

[stanthewizzard]

Reset the root password
remove 2fa

 

[Fred974]

Hi,

I have managed to reset the root password via ssh but I cannot figure out how to remove 2FA. Can you please tell me how you did it?

 

[stanthewizzard]

Honestly don’t remember

 

[Mario1971]

Hello I have the same problem here. TrueNas 12.0-U6. It works after a system reboot without any problems. Then after 3 days of system runtime it does not work again. Do you have a solution for the problem? Or reported a bug?
If you have accsess true the Shell you can enter: midclt call auth.twofactor.update '{"enabled": false}'
to disable the 2FA.
Many greetings Mario

 

[Fred974]

@Mario1971 I found the solution from this post:

Code:

midclt call auth.twofactor.update '{"enabled": false}'

 

[Mario1971]

Ok thanks! I have read through the topic, unfortunately it does not fit with me. The times are syncronized. No time offset. Unfortunately, it no longer works.

 

[Fred974]

Run the command above to disable 2fa

 

[Mario1971]

Ah ok, sorry, I used that command and it worked. Unfortunately I can no longer use the 2fa. Is probably a bug in TrueNas. Many greetings Mario

 

[Heracles]

Hey guys,

All of you have probably the same problem : your TrueNAS servers and your 2FA devices are out of sync. TOTP means TIME-based one time password. If your clocks are even only 30 seconds aparts from each others, 2FA will fail.

As a 2FA device, the use of a smartphone ensure that this one will have the correct time. Smartphones requires very precise time and they always sync time with the cell network. As for the TrueNAS server, you must ensure that it syncs successfully over NTP with official references. If you use a computer as a client, you must also sync it over NTP to ensure its time is accurate.

 

[Dave Hamby]

This seems to be a common problem. I set up the account in 1Password, setup 2FA and set up 2FA in 1Password. Logged out, logged in verifying the password and 2FA. Later I came back and could not log in. I resolved the issue by resetting the password using physical console option 7. Now verifying WebUI. Will leave 2FA off for now.

 

[Fred974]

@Heracles you were 100% correct. I looked at the time on the TrueNAS server and I was out of sync by 40 seconds. Thank you

 

[Fred974]

I have set up NTP with the following:

I welcome any advise of there are better NTP servers to use

 

[Heracles]

Good that you fixed your problem @Fred974.

As for NTP, all of your references are pretty generic or global... Google, Cloudflare, ...

NTP is sensitive to latency and for that reason, better for you to take references that will be closer to you. The French government may have some public time references. Local universities and others may also have some.

Your actual config and reference will be up to the task, but as you asked if there is even better, actually there is.

 

[Samuel Tai]

Also, make sure your system clock isn't drifting with respect to NTP. See https://www.truenas.com/community/threads/ntp-not-syncing.62428/post-629190.

 

[Dave Hamby]

I hadn't thought to check time. NTP or PTP and well behaved host OS should take care of it.

I did find an issue at Apple support where hosts supposedly synced to time.apple.com were 3 minutes out of sync with hosts synced to Cisco's time servers. The Apple hosts were iPads and iPhones. I suspect that the time is right but that the applications, when put in the background, are not keeping up. With iOS 15, I'm seeing the clock widget jump to sync after going time late while off-screen. I'm also seeing the same behavior in my Apple watch face.

What is the ip of ntp server that ios dev… - Apple Community

discussions.apple.com

I've added time.apple.com to the NTP servers. GPS referenced NTP servers are very affordable now. Nobody should be offering time service without them.

I've found I have to wait a FIDO cycle with many hosts for FIDO app to catch up. Semantic VIP used by USAA was notorious.

 

[Dave Hamby]

I've re-enabled 2FA and verified I can log in. Letting it sit a while to comfirm the FIDO cycle hypothesis mentioned above. Will see if the issue happens using the 1Password app vs the 1Password Firefox plugin.

 

[asw2012]

I would like to ask, if we get locked out and our 2FA device (to generate 6digit code) is no longer working, are there any backup codes that can be generated? (similar to some popular apps, like nextcloud 2FA or Instagram 2FA)

 

[Heracles]

Hey @asw2012,

Here, I authenticate to SSH using public key. As such, it is both strong and not related to TOTP.

The physical consol on the server is another option : you can connect to it without authentication (unless you manually configured it differently).

So these are the workaround whenever you can not complete TOTP.