2FA code

Same here… I have set it up using both Authy and the MS Auth app. The plugin will compelte the set up and allows me to download the rescue codes however the log in page will not accept ANY code from either app, nor will it accept the recover key when entered, only give the same message as OP. This is useless, not to mention dangerous for site builders.

I have disabled every single plugin and this still throws the expired or invalid code error.

We cannot be the only two people with this issue.

• This reply was modified 3 years, 5 months ago by jessenoplace.

Hi @dannielhendrix,

Thanks for your message. If you were able to set up 2FA successfully, the code on your authentication app must have matched with the server time at the point of creation. However, you can still check whether times match and whether there are any offsets at Wordfence > Tools > Diagnostics > Time. Let me know if there are any discrepancies there.

This error can also present if you’re attempting to use 2FA with a custom login page, either created yourself or bundled with a theme. Currently, 2FA is not supported on custom login/registration pages.

For your information also in case you’re totally locked out at the moment, there are two ways to get back into the site if your 2FA isn’t working.

The first way is if you have added the site in Wordfence Central (a free site management tool in your account on wordfence.com):

• Login to Wordfence.com and look for the Configuration tab.
• Click the gear icon at the end of the row that the site you need to access is on.
• Scroll down to the Login Security Options section and expand it by clicking the small black arrow to the right.
• In the section that says “Whitelisted IP addresses that bypass 2FA” add your public facing IP address.
  NOTE : You can get your public facing IP by clicking this link.
• Scroll back to the top of the screen and save the changes.
• You should now be able to login to your site with just a username and password.

If you haven’t added your site to Wordfence Central follow these steps:

• Please use FTP/SFTP — or any file manager your web host provides via their administration panel.
• Look inside the /wp-content/plugins/ directory and rename the wordfence directory to wordfence.bak. This will deactivate Wordfence and allow you to login without the 2FA code.
• Once you have logged in to your WordPress admin you can name the folder back to wordfence again.
• Go to your user profile and add 2FA back to your account, making sure to download the backup codes in case of problems in the future.

Thanks,

Peter.

Hi @jessenoplace, as per the forum guidelines we can only really address the topic starter here. If you’re happy to follow the progress of this topic, that’s fine, but it’s possible that the cause may not be the same.

We can better help our customers if topics concentrate on the specific issues for a single user just in case there are differences in the server setups or the solution required. We’ll always be glad to help you out. Feel free if you do start a new topic to include any steps from this topic that you’ve already tried, to assist us with further troubleshooting.

Thanks,

Peter.

Hello Peter,

This is how looks Wordfence > Tools > Diagnostics > Time: https://prnt.sc/1uupvyr
I am not using a custom login page.
The idea is this: I activated 2FA 5-6 months ago and everything worked perfectly but in the last days any code I enter I receive the mentioned error. I finally managed to get into wp-admin and I uninstalled 2FA. Can it be a cache problem?
I will like to mention that I have 2FA on 4 other websites and everything is OK and I hope it stays that way.

Thank you,
Daniel

Hi @dannielhendrix,

Clearing caches are always a good idea when encountering problems that weren’t previously there but I’m not sure in this case that’s the cause. I am concerned that in your screenshot, the time received by Wordfence at your host is 2 minutes out of sync with our servers. As 2FA codes only last 30 seconds, I feel that the current code on your app will be technically valid but not being validated as correct due to a different one being expected.

Could you please show this screenshot to your hosts’ support channels and see how their servers are synchronized? Naturally, as a large number of Wordfence customers are using 2FA successfully I feel that our time is correct and the server where your site is hosted is the one behind.

Thanks,

Peter.