External User 2FA Invalid Pin

I am running gitlab-ce 15.3.3 and I have “Enforce two-factor authentication” enabled with a grace period of 0.

I recently created an external user that is unable to set up a 2FA device. The follow the instructions to register a 2FA device but the get “Invalid pin code”. The problem is almost identical to the issue described here except that this is self-managed GitLab (not gitlab.com) and the suggested workaround (extending the grace period and registering a 2FA device later from the user’s profile doesn’t work).

I created a test external user and was able configure 2FA without a problem. The only difference (that I am aware of) between me and the external user who is having trouble is that my 2FA device is in the same time zone as the GitLab server. The external user is in a different time zone.

I tried changing the time zone of my cellphone (which I use as my 2FA device) and was still able to set up 2FA without a problem.

Things I have already checked/tried, all resulting in the same “Invalid pin code” error message:

  • GitLab’s 2FA troubleshooting guide
  • Server’s time and timezone are correct
  • Manually set the user’s timezone in their profile (user is logging in from a different timezone than then one in which the server is located)
  • Temporarily disable “Enforce two-factor authentication”, have user login and set up 2FA

Any thoughts on the best way to debug this? Are there any GitLab logs that would give hints on why this particular user isn’t able to configure 2FA? I’ve looked in /var/log/gitlab/ but I haven’t found anything relevant.

Thanks!

What TOTP/2FA app is this user using?

If they’re using Google Authenticator, can you check for a time sync issue: Two-factor authentication | GitLab
If that doesn’t work, could you have them try using a different TOTP application?

If they’re not using Google Authenticator, can they try using Google Authenticator?

If at all possible, I’d advise they set up and use a U2F hardware device like YubiKey, SoloKey, Google Titan Security Key.

The user was using Microsoft Authenticator. I asked them to try a different 2FA app (I’m not sure which one) and they were able to register that device.

Thanks for the help!