What to do if Google authenticator always gives the wrong codes

Good day.
I would like to tell you about the 2FA authentication problems on Android 4.4.2 KitKat devices and about the solution, which in our case stopped long searches.

Some time ago, my colleagues and I decided to add Two-stage authentication (Two factor authentication or, for short, 2FA) for our small office server based on Ubuntu Server.

2FA is an extra level of security and a nice addition to the existing authentication mechanism. In addition to the usual pair of login + password from the user who performs the authorization, a digital key is required, which is dynamically changed every 30 seconds and is generated by a device in the user's possession. To generate the key, we used the Google authenticator App and a mobile phone on the Android platform. After a one-time setup, the application generates codes that have a lifetime of 30 seconds, and the server generates exactly the same codes. When authenticating codes are compared.
')
Since data is not transmitted from the server and is stored only on the device, this mechanism is more secure than sending confirmation codes (for example, as a 3D-secure SMS confirmation in banking systems).


There were a lot of step-by-step instructions on how to configure the server on the network. Everything is very simple and intelligible in them. I was guided by this article .

After the server settings, the Google Authenticator application was installed on the Lenovo p780 phone, “read” the phone from the QR-code monitor and received the cherished tsiferki for authorization. Before you restart SSH, do not forget to save backup keys to restore access .

And now, everything is ready to use! Reboot the SSH, go to the server, specify the password, after the password we are asked to present the Verification code, rewrite it from the phone and ... ask again for the password? !!! It looks like this:

ssh user@server.ru
Password: <enter password>
Verification code: <enter the code from the phone>
Password: <? !!, enter the password again>
Verification code: <enter the code from the phone>
Password: <enter the password again>
Verification code: <re-enter the code>
user@server.ru's password: <once again password>
Permission denied, please try again.
user@server.ru's password: <re-enter password>
Received disconnect from xx.xxx.xx.xx: 2: Too many authentication failures for user

At first they thought that the error was made in the settings, but after trying several mobile devices it became obvious that the codes generated on Android 4.4.2 KitKat by the Google Authenticator application are always wrong .

"Solutions" that were found and their results:

1. If you roll back the version of Android, it starts working correctly. (with this "decision" worked for some time, but decided to move on)
2. Since the problem boils down to incorrect time zones, many solutions are aimed precisely at correcting them. The TimeZone Fixer application can really help with this problem, however, after using it, some applications start to display erroneous time and need to be repaired manually. (The solution has its drawbacks and risks. All information about the application is available on w3bsit3-dns.com )
3. Adjust the time manually. To be honest, this method did not work for us. Transfer the clock manually and thereby synchronize the time on the phone and the server. Alas, all attempts gave nothing, although there were people claiming what worked for them. In any case, the prospect of losing the function of the clock in the phone is not the most pleasant ...
4. Clock synchronization inside the settings of the Google authenticator application (in our case without results, however there were comments that helped someone)

The final solution: FreeOTP

During the search for a solution on the web, I already came across the Google Authenticator GitHub application, there is our error tracking, and the solution suggested is:

“You can be used by FreeOTP Authenticator (by Red Hat) instead of Google Authenticator until someone fix it.”

For a long time it seemed to me that it is recommended to use another authentication mechanism that needs to be put on the server instead of Google, so I diligently searched for other solutions. I wanted to make Google authenticator work, but in fact they recommend using another Android application, and the backend remains unchanged.

Red Hat FreeOTP Authenticator application . After setting up the same QR code, everything began to work without the need to correct something.

Unfortunately, I cannot tell you the reason for the error in the Google authenticator, but I hope that my sad experience will help save someone's time.

I will be glad to your comments! Thanks for attention.