Still having problems with using OTP for auth

[thefunkygibbon]

I've tried this now on an off for over a year through various versions and it still doesn't work for me.

• I've created a OTP server within Opnsense, i've tried with different token lengths and so on.
• I've added a user and configured it to use OTP and imported the token QR code into Google Authenticator and other OTP apps (including Yubico and a windows one too).
• I've tried the 'tester' and trying to log in too (user is configured as admin rights)  but neither work.
• I've verified time, date and timezone and all is correct.
• I've tried using the OTP followed by the password and the other way around.
• I've tried a user name of gibbon and also gibbon@opnsensefw (which is what its listed as in the authenticator app... not sure which you're suppose to use, but neither seem to work).

please can anyone help troubleshoot this with me or at least offer some suggestions.  i've read through the guide on the wiki page and i'm positive i've done all thats needed (i've set it up from scratch a few times now) 
I don't fancy factory defaulting the whole box to see if that helps though.

[thefunkygibbon]

polite bump.   anyone?   don't suppose there is a discord channel yet is there?

[FullyBorked]

I've not used the OPNsense implementation, so I don't have a lot of guidance.  The major thing that has hung me up in the past is time, it has to be near perfect on your device and your server for it to work.  Make sure your OPNsense box is getting proper time sync, and make sure your mobile device is as well.  Use an online time source like time.nist.gov to make sure it's perfect.  Secondly anything in your logs? Might lead you down a path to resolution if you know what seems to be failing. 

[amichel]

For me MFA works like a charm.
What I did was I extendend the Grace Period to 15 seconds so the old token is valid for 15 seconds after the new one is issued.
If you do not change the config you type in the token code that is on your device followed by the password.
For Example the password is Password1! you type 23456789Password1! with no space in between.
Hope that helps.

[FullyBorked]

For me MFA works like a charm.
What I did was I extendend the Grace Period to 15 seconds so the old token is valid for 15 seconds after the new one is issued.
If you do not change the config you type in the token code that is on your device followed by the password.
For Example the password is Password1! you type 23456789Password1! with no space in between.
Hope that helps.

This is good feedback, extending the time can be helpful.  I did this for OpenVPN back in the day as end users struggled to get their code and their password in within the short duration. 

[thefunkygibbon]

oh snap, I didn't realize there were replies, sorry. I didn't mean to be rude.  I didn't receive any notifications.

Thank you both for your replies and advice.   
I've tried to change the default time window and grace period to at least triple their default values.    Time on both firewall and authenticator device is near as dammit the identical... certainly within a second.
Also, the key+password format (and vice versa) is what I have been trying.   Trying both different formats out of desperation and neither worked.

at a loss as to what else to try or troubleshoot as I don't seem to see there being any kind of logs which could maybe help me in working out why it is failing.


to confirm, if i go to the tester, if i use the server "otp server" which is the one i created,  it fails.  if i flip it to the local database server and just use the same username and just the password, it is fine.
Is there something i am doing wrong there? it seems weird that my user can be used on either authentication source