Problem
When a user with two-factor authentication (TOTP) enabled attempts to sign in to Terraform Enterprise, the login fails with the following error message:
Invalid authentication code!
Cause
This error can occur if the system clock on the Terraform Enterprise server has drifted out of sync. Time drift causes a mismatch between the time-based one-time password (TOTP) generated by the user's authenticator app and the time expected by the server.
You can check for time drift by running the timedatectl status command. In the output, check the value of NTP enabled or NTP service to verify if the system's NTP daemon is running and synchronized.
$ timedatectl status
Local time: Wed 2023-04-19 14:51:22 UTC
Universal time: Wed 2023-04-19 14:51:22 UTC
RTC time: Wed 2023-04-19 14:51:22
Time zone: UTC (UTC, +0000)
NTP enabled: no
NTP synchronized: no
RTC in local TZ: no
DST active: n/aSolutions
There are two primary solutions depending on whether the issue affects all users or a single user.
Solution 1: Synchronize the System Clock (Server-Wide Issue)
If all users with two-factor authentication are affected, the issue is likely due to NTP drift on the server. You can resolve this by enabling and syncing the system's NTP daemon.
Execute the following command to enable NTP:
$ timedatectl set-ntp true
After the clock is synchronized, users should be able to log in successfully.
Solution 2: Address User-Specific Issues
If the invalid token error is local to a single user, the cause is likely not server-wide time drift. In this case, the user or an administrator can take the following actions:
- Use Backup Codes: The user can authenticate using one of the backup codes they downloaded during the setup of 2FA.
- Reset 2FA: A Terraform Enterprise administrator can reset 2FA for the affected user's account, allowing them to re-enroll their device.