Problem
Terraform Enterprise users with 2FA (TOTP) enabled are unable to login as their OTP is rejected with the following error:
Invalid authentication code!
Cause
This can be caused by NTP drift on the Terraform Enterprise server. Run timedatectl
status
to view the current system time to identify drift. Additionally, verify if the system's NTP daemon is running by checking the value of NTP enabled
/NTP service
in the output of timedatectl
status
:
$ timedatectl status
Local time: Wed 2023-04-19 14:51:22 UTC
Universal time: Wed 2023-04-19 14:51:22 UTC
RTC time: Wed 2023-04-19 14:51:22
Time zone: UTC (UTC, +0000)
NTP enabled: no
NTP synchronized: no
RTC in local TZ: no
DST active: n/a
Solution
This can be resolved by syncing the system clock by enabling the system's NTP daemon with timedatectl set-ntp true
.
Note that this specific issue would affect all Terraform Enterprise users with two-factor authentication enabled. For invalid token errors local to a given user, have the user authenticate with back up codes downloaded during the set up of 2FA or work with a Terraform Enterprise administrator to reset 2FA.