Can't add 2FA

In my gitlab I need to enable my 2FA to continue using the service. But when I’m trying to add the 2FA it only giving me an invalid PIN. Please check my screenshot (I removed sensitive data):

And when I enter the code PIN from my Google Authenticator app :

I also can’t navigate to my projects or any action until I set up 2FA

1 Like

Here too, first can’t access my gitlab account because two factor stopped worked, now I can’t generate another pin because the invalid pin error

I have exactly the same behaviour

Well turns out that the code generator app on my phone wasn’t with the hours correctly synced, you can fix that by either check if your device have the hours correctly synced or check the configurations on Authenticator app and force it to get sync on Settings -> Time correction for codes

Thanks for the feedback. I tried to sync my Authenticator app and it says it was already synced correctly

Hello, i have the same issue. Is there a fix for it? I cannot add 2FA to our Git Lab Community account, it always tells me “Invalid Pin”.
It is no time out of pin number or related to the authenticator.
Any suggestions?

I’m still getting the error, still not fixed

Hi @executable! You may have already tried this, but I think you should reach out to support@gitlab.com. Our experts take on login cases all the time and I bet they can help!

Once you get all sorted, please come back here and share what you’ve learned! Thanks! :blush:

The gitlab is installed on a private server, they still help on it ?

Do you know if there any other users on this private GitLab CE instance having this problem?

If so, I suspect this problem might be related to your one time password authenticator app.

To verify or rule out the possibility that the problem is isolated to your OTP app, can you try to register using a different OTP Authenticator App?

Here are some I’d recommend:

  • Authenticator: open source app for iOS devices.
  • Google Authenticator: proprietary app for iOS and Android.
  • andOTP: feature rich open source app for Android which supports PGP encrypted backups.
  • FreeOTP: open source app for Android.

If we can get it registered with a different App, this indicates there’s not a problem registering 2FA on server, but there’s likely a problem with your OTP app.

If other users are experiencing this same problem on your GitLab server, or if switching to using a different OTP app doesn’t work, I suggest checking the logs for any relevant error messages. An easy way to do this would be to run sudo gitlab-ctl tail on the GitLab server and then duplicating the problem by entering your OTP pin code and clicking “Register”. If its failing at the system or instance-level, I’d expect to see some relevant errors in the logs that we can use to troubleshoot further.

Let us know how it goes!

3 Likes

I am also experiencing the same problem. Last Friday I had to remove 2fa from all our users due to a regression which was patched on Saturday. Unfortnately, I am now seeing an error when trying to re-establish TOTP.

I have tried MS authenticator and andOTP, confirm that NTP is working properly on the on-prem gitlab server and my phone.

I tried running the above tail command, but I did not see anything relevant. It’s possible I missed something as it’s very noisy, but nothing stood out. Searching for my username only showed some GET requests, not any POSTs which failed.
Is there any place to look for more useful debugging information?

Hello @executable .

I had exactly the same problem. I searched online and the only same issue i’ve found was yours :smiley: You were everywhere: stackoverflow, server fault and here, on gitlab.

I am pretty sure this is a bug on gitlab-side.
My use-case is:

  • deployed gitlab
  • activated 2FA enforcement
  • users activated 2FA
  • added 2FA for root and few hours after desactivated it
  • i did not activated root’s 2FA because i was waiting for a bitwarden deployment
  • signed-in again on my gitlab instance, after the grace period of 48h to activate 2FA & bam. I was stuck on the activation page with invalid pin code.

I was about to remove 2FA for each user using: sudo gitlab-rake gitlab:two_factor:disable_for_all_users but i was pretty sure that would fail due to the enforcement.

So i upgraded gitlab to the latest version and started forensic in its database (postgresql).

sudo gitlab-rails dbconsole
gitlabhq_production=> \x on
Expanded display is on.
gitlabhq_production=> select * from application_settings;

[...]
require_two_factor_authentication                           | t
two_factor_grace_period                                     | 48
[/...]

This is what we are looking for. I tried:
UPDATE application_settings SET require_two_factor_authentication = 'f' WHERE id=1;

Restarted gitlab instance and it worked like a charm.
I was able to login, to navigate on my gitlab instance/administration, activate a 2FA login and reactivate/disable 2FA enforcement to be sure gitlab cleans any problem i would have created in the database.

And then i registered on this forum to help you because i saw you seems to be stuck on that since a long time. Please excuse my bad english, i’m pretty tired :stuck_out_tongue:

Forza !
John

1 Like

this seems to be the error for one of the users on our self-managed gitlab instance