2FA authentication suddenly fails

Support & Bugs
1

Hello everyone,

I installed Matomo few months ago and everything was running just fine. Everything was set up and 2FA was enabled, then forced fo everyone and it was working (for last month at least). But two days ago 2FA started to fail: nobody could login unless using recovery codes.

I tried to disable / enable the plugin without success (when re-enabled). I removed 2FA enforcement to allow people to login again and tried to enable 2FA again for my SU account only but the final control always fails.

Knowing that, I searched a little bit more, and found that 2FA went “out of sync”. In fact, asking for the server current date and time (using date under Linux), I saw that the server time was 4mn late (for this I am also emailing my server host company, to be sure). BUT, I’m unsure this is new or not as I also have a wordpress instance on that same server where 2FA has been working for years and is still working with this same 4mn current difference!
I validated this by manually setting the time minus 4mn on my phone and the generated OTP was accepted by matomo 2FA final control so I could enable 2FA on my SU account. On the contrary, OTP generated for the wordpress were failing…
Of course, if I sync my phone again to global time, my OTP generator and my matomo instance are not synced and I can’t login. But I can login to the wordpress instance.
What is strange is that 3 days ago, both authentications were working.

What I think is that maybe, when initializing, the wordpress plugin I use for 2FA took into account the time sync difference by remembering the user’s time (? so the systems are “synced” with this difference, as when we must take into account local time and global time) and still uses it. But 2FA matomo’s plugin doesn’t?
Or maybe the first uses some NTP it relies on to be sure to be synced whereas the other only uses server’s local time?
Sincerely, that is just a guess and I’m still searching (maybe I’ll read the code…), that is why I post here to get help.

To sum up what is for sure is that:

  • 2FA was working (weither or not this 4mn difference was already existing)
  • I run matomo 4.9.1
  • Nothing was changed two days ago (Unless I missed some autoupdate that took place? I’ll double check.)
  • 2FA works if I manual sync OTP generator to server’s local date/time
  • Other 2FA system on the same server still works…

I hope someone can help me on this strange issue.

2

Just posting here I started to search again and found how the WP plugin I use works regarding 2FA:
Is matomo’s 2FA reference time mecanism similar ?

3

Matomo’s 2FA uses TOTP (just like most other systems) and indeed this standard is strongly dependent on the fact that the server and the phone have the exact same time as the code is calculated by also using the current time. I think Matomo just like most software also accepts the code “before” and “after” the current one to avoid slight time drifts, but anything larger than that means that it won’t work.

4

Thank you @Lukas for this answer. I totally get that. Some systems offer to define an offset windows (up to 10 cycles in general), just to share this information with you.

Would you be interested in implementing the following mecanism ?
– Use NTP time to check TOTP (and user can even select the NTP server he wants to use when installing matomo and later through matomo’s settings)
– If fails use Server Time TOTP

To me this would offer better resilience to server time drift. And it turns to be this is exactly what I am experiencing here, with different behaviors and resiliences from matomo and wordfence and thus, different results (can’t/can access…).