Hi,
I'm trying to enable TOTP 2FA for the admin user on the GUI using a YubiKey (Yubico Authenticator on Windows), but the Local + TOTP tester almost always fails with "Authentication failed." Once it worked, but every attempt after that has failed.
Environment
OPNsense version: 26.1.4
Authentication servers (GUI): Local Database and Local + TOTP
TOTP server:
Type: Local + Timebased One Time Password
Token length: 6
Time window: 2 (also tried empty)
Reverse token order: unchecked (also tested checked)
User / token
User: admin
OTP seed generated in GUI (System → Access → Users → admin → OTP seed, "Generate new secret" + Save)
Enrolled via QR code into YubiKey Authenticator on Windows
TOTP code: 6 digits
Time
Timezone: Europe/Rome
NTP enabled with pool servers
date on the firewall matches PC time (≤ 1–2 seconds drift)
Problem
admin can log in with username + password (via Local Database).
In System → Access → Tester:
Server: Local + TOTP
User: admin
Password: adminPassword + 6‑digit TOTP (also tried TOTP+password with reverse order)
Result: almost always "Authentication failed."
It did work once (tester accepted the credentials and showed a success), but all attempts before and after that were "Authentication failed."
What I already tried
Regenerated the admin OTP seed multiple times and saved.
Deleted and re‑added the account in YubiKey Authenticator using the new QR code each time.
Rebooted the firewall.
Restarted the webgui service under System → Diagnostics → Services.
Checked System Logs: I only see some lighttpd errors like php-fastcgi.socket-X: Connection refused, but nothing clearly related to TOTP or authentication failures.
Question
Are there any known issues with Local + TOTP + YubiKey on 26.1.4, or extra logs/debug options I can enable to see why the TOTP is rejected? The fact that the tester worked once and then never again makes me think of some state/bug rather than a simple time or password format issue.
Thanks.
Uncheck Local Database in settings>administration>authentication. No need to have both TOTP and Local DB enabled. Then test again
Also, the tester defaults back to Local Database after each test. Just something to watch out for:)