I installed Matomo few months ago and everything was running just fine. Everything was set up and 2FA was enabled, then forced fo everyone and it was working (for last month at least). But two days ago 2FA started to fail: nobody could login unless using recovery codes.
I tried to disable / enable the plugin without success (when re-enabled). I removed 2FA enforcement to allow people to login again and tried to enable 2FA again for my SU account only but the final control always fails.
Knowing that, I searched a little bit more, and found that 2FA went “out of sync”. In fact, asking for the server current date and time (using date under Linux), I saw that the server time was 4mn late (for this I am also emailing my server host company, to be sure). BUT, I’m unsure this is new or not as I also have a wordpress instance on that same server where 2FA has been working for years and is still working with this same 4mn current difference!
I validated this by manually setting the time minus 4mn on my phone and the generated OTP was accepted by matomo 2FA final control so I could enable 2FA on my SU account. On the contrary, OTP generated for the wordpress were failing…
Of course, if I sync my phone again to global time, my OTP generator and my matomo instance are not synced and I can’t login. But I can login to the wordpress instance.
What is strange is that 3 days ago, both authentications were working.
What I think is that maybe, when initializing, the wordpress plugin I use for 2FA took into account the time sync difference by remembering the user’s time (? so the systems are “synced” with this difference, as when we must take into account local time and global time) and still uses it. But 2FA matomo’s plugin doesn’t?
Or maybe the first uses some NTP it relies on to be sure to be synced whereas the other only uses server’s local time?
Sincerely, that is just a guess and I’m still searching (maybe I’ll read the code…), that is why I post here to get help.
To sum up what is for sure is that:
- 2FA was working (weither or not this 4mn difference was already existing)
- I run matomo 4.9.1
- Nothing was changed two days ago (Unless I missed some autoupdate that took place? I’ll double check.)
- 2FA works if I manual sync OTP generator to server’s local date/time
- Other 2FA system on the same server still works…
I hope someone can help me on this strange issue.