TOTP + YubiKey: Local + TOTP tester always “Authentication failed”

[opnessense]

Hi,

I'm trying to enable TOTP 2FA for the admin user on the GUI using a YubiKey (Yubico Authenticator on Windows), but the Local + TOTP tester almost always fails with "Authentication failed." Once it worked, but every attempt after that has failed.

Environment

OPNsense version: 26.1.4

Authentication servers (GUI): Local Database and Local + TOTP

TOTP server:

Type: Local + Timebased One Time Password

Token length: 6

Time window: 2 (also tried empty)

Reverse token order: unchecked (also tested checked)

User / token

User: admin

OTP seed generated in GUI (System → Access → Users → admin → OTP seed, "Generate new secret" + Save)

Enrolled via QR code into YubiKey Authenticator on Windows

TOTP code: 6 digits

Time

Timezone: Europe/Rome

NTP enabled with pool servers

date on the firewall matches PC time (≤ 1–2 seconds drift)

Problem

admin can log in with username + password (via Local Database).

In System → Access → Tester:

Server: Local + TOTP

User: admin

Password: adminPassword + 6‑digit TOTP (also tried TOTP+password with reverse order)

Result: almost always "Authentication failed."

It did work once (tester accepted the credentials and showed a success), but all attempts before and after that were "Authentication failed."

What I already tried

Regenerated the admin OTP seed multiple times and saved.

Deleted and re‑added the account in YubiKey Authenticator using the new QR code each time.

Rebooted the firewall.

Restarted the webgui service under System → Diagnostics → Services.

Checked System Logs: I only see some lighttpd errors like php-fastcgi.socket-X: Connection refused, but nothing clearly related to TOTP or authentication failures.

Question

Are there any known issues with Local + TOTP + YubiKey on 26.1.4, or extra logs/debug options I can enable to see why the TOTP is rejected? The fact that the tester worked once and then never again makes me think of some state/bug rather than a simple time or password format issue.

Thanks.

[Boxer]

Uncheck Local Database in settings>administration>authentication. No need to have both TOTP and Local DB enabled. Then test again

[Boxer]

Also, the tester defaults back to Local Database after each test. Just something to watch out for:)