A small number of users get invlaid pin when setting up 2FA

So I’m having a problem with 2FA on our instance. We have to have 2FA for all users, however some of them cannot set up 2FA successfully. Most users have no issues, but at the moment I have 2 who always get invalid pin errors.

  • I have tried using my phone to set up 2fa on these user’s accounts and it works fine.
  • The users have tried multiple apps.
  • The users have tried setting up TOTP based 2fa using the same phone and app on a different service (google) successfully.
  • Only 2 of 40 users have this issue.

So it appears that the problem isn’t the user accounts, or the user’s phones or 2FA apps, or a problem with the secrets file.

Update: After configuring ntp on the server (even before that, the server was within 3s of the time on the users devices, so I don’t see why it should have been an issue), both users were able to set up 2FA with google authenticator (both had previously tried this). The problem persists with other 2FA apps. I’m not sure I’m happy, since I still don’t really know what the issue was, but it seems to be sorted for now.

Turns out configuring NTP doesn’t fix the issue.

If anyone is having the same issue, for us it was caused by a bug, patch 13.4.3 fixed it: https://gitlab.com/gitlab-org/gitlab/-/issues/247461