I am running gitlab-ce 15.3.3 and I have “Enforce two-factor authentication” enabled with a grace period of 0.
I recently created an external user that is unable to set up a 2FA device. The follow the instructions to register a 2FA device but the get “Invalid pin code”. The problem is almost identical to the issue described here except that this is self-managed GitLab (not gitlab.com) and the suggested workaround (extending the grace period and registering a 2FA device later from the user’s profile doesn’t work).
I created a test external user and was able configure 2FA without a problem. The only difference (that I am aware of) between me and the external user who is having trouble is that my 2FA device is in the same time zone as the GitLab server. The external user is in a different time zone.
I tried changing the time zone of my cellphone (which I use as my 2FA device) and was still able to set up 2FA without a problem.
Things I have already checked/tried, all resulting in the same “Invalid pin code” error message:
- GitLab’s 2FA troubleshooting guide
- Server’s time and timezone are correct
- Manually set the user’s timezone in their profile (user is logging in from a different timezone than then one in which the server is located)
- Temporarily disable “Enforce two-factor authentication”, have user login and set up 2FA
Any thoughts on the best way to debug this? Are there any GitLab logs that would give hints on why this particular user isn’t able to configure 2FA? I’ve looked in /var/log/gitlab/ but I haven’t found anything relevant.
Thanks!