### Summary For unknown reasons the 2 factor authentication stopped working. So it is not possible to login via 2FA anymore, we must use the recovery codes and disable the 2 factor authentication. Furthermore it's not possible to reconfigure the 2FA. The same behaviour also applies for new users. So new users can not setup the 2fa either. I think this might be an old bug, which is still present. I found an old discussion, which was never solved. See down below. ### Steps to reproduce New User with 2FA 1. use gitlab installation version 11.6.3-ee (gitlab-ce@76c33c63e597ebbe9cf20d47725a42a8169918d1) with omnibus. 2. configure user with 2FA: 2.1. scan QR code with google authenticator 2.2. enter generated token 3. configuration of 2FA fails since token is not accepted with message "invalid token" Existing User with 2FA 1. use gitlab installation version 11.6.3-ee (gitlab-ce@76c33c63e597ebbe9cf20d47725a42a8169918d1) with omnibus. 2. Login user with 2FA 3. 2FA Token is not accepted with message "invalid token" 4. Enter recovery code to login 4.1. Login successful 2. Re-configure 2FA: 2.1. scan QR code with google authenticator 2.2. enter generated token 3. configuration of 2FA fails since token is not accepted with message "invalid token" ### Example Project It's not possible to reproduce on Gitlab.com. I was able to setup my 2FA successfully on gitlab.com We are using a gitlab installation version 11.6.3-ee (gitlab-ce@76c33c63e597ebbe9cf20d47725a42a8169918d1) with omnibus. ### What is the current *bug* behavior? For unknown reasons the 2 factor authentication stopped working. So it is not possible to login via 2FA anymore, we must use the recovery codes and disable the 2 factor authentication. I looks like that everyone of my team, who did not empty their browser cache & cookie can still login with the 2FA. But after the browser cache & cookie has been emptied is not possible via 2FA anymore. Furthermore it's not possible to reconfigure the 2FA. When I disabled 2FA, re-enabled the 2FA and scanned the QR code with Google Authenticator app (same behaviour with 1Password and FreeOTP), gitlab did not accept the generated token: Message "invalid token". The same behaviour also applies for new users. So new users can not setup the 2fa either. ### What is the expected *correct* behavior? It's expected that the 2FA is working. That the generated token is accepted for login and that it's possible to re-configure the 2FA. #### Results of GitLab environment info <details> <summary>Expand for output related to GitLab environment info</summary> <pre> (For installations with omnibus-gitlab package run and paste the output of: `sudo gitlab-rake gitlab:env:info`) System information System: Ubuntu 14.04 Proxy: no Current User: git Using RVM: no Ruby Version: 2.5.3p105 Gem Version: 2.7.6 Bundler Version:1.16.6 Rake Version: 12.3.1 Redis Version: 3.2.12 Git Version: 2.18.1 Sidekiq Version:5.2.3 Go Version: unknown GitLab information Version: 11.6.3-ee Revision: 76c33c6 Directory: /opt/gitlab/embedded/service/gitlab-rails DB Adapter: postgresql DB Version: 9.6.11 URL: http://gitlab.p*****.com HTTP Clone URL: http://gitlab.p*****.com/some-group/some-project.git SSH Clone URL: git@gitlab.p*****.com:some-group/some-project.git Elasticsearch: no Geo: no Using LDAP: no Using Omniauth: yes Omniauth Providers: GitLab Shell Version: 8.4.3 Repository storage paths: - default: /var/opt/gitlab/git-data/repositories Hooks: /opt/gitlab/embedded/service/gitlab-shell/hooks Git: /opt/gitlab/embedded/bin/git </pre> </details> #### Results of GitLab application Check <details> <summary>Expand for output related to the GitLab application check</summary> <pre> (For installations with omnibus-gitlab package run and paste the output of: `sudo gitlab-rake gitlab:check SANITIZE=true`) Checking GitLab subtasks ... Checking GitLab Shell ... GitLab Shell: ... GitLab Shell version >= 8.4.3 ? ... OK (8.4.3) Running /opt/gitlab/embedded/service/gitlab-shell/bin/check Check GitLab API access: OK Redis available via internal API: OK Access to /var/opt/gitlab/.ssh/authorized_keys: OK gitlab-shell self-check successful Checking GitLab Shell ... Finished Checking Gitaly ... Gitaly: ... default ... OK Checking Gitaly ... Finished Checking Sidekiq ... Sidekiq: ... Running? ... yes Number of Sidekiq processes ... 1 Checking Sidekiq ... Finished Checking Incoming Email ... Incoming Email: ... Reply by email is disabled in config/gitlab.yml Checking Incoming Email ... Finished Checking LDAP ... LDAP: ... LDAP is disabled in config/gitlab.yml Checking LDAP ... Finished Checking GitLab App ... Git configured correctly? ... yes Database config exists? ... yes All migrations up? ... yes Database contains orphaned GroupMembers? ... no GitLab config exists? ... yes GitLab config up to date? ... yes Log directory writable? ... yes Tmp directory writable? ... yes Uploads directory exists? ... yes Uploads directory has correct permissions? ... yes Uploads directory tmp has correct permissions? ... yes Init script exists? ... skipped (omnibus-gitlab has no init script) Init script up-to-date? ... skipped (omnibus-gitlab has no init script) Projects have namespace: ... 8/3 ... yes 7/4 ... yes 7/5 ... yes 11/6 ... yes 11/7 ... yes 8/8 ... yes 16/9 ... yes 16/10 ... yes 23/11 ... yes 7/13 ... yes 23/14 ... yes 23/15 ... yes 7/16 ... yes 23/17 ... yes 7/18 ... yes 8/19 ... yes 7/20 ... yes 23/22 ... yes 6/23 ... yes 7/24 ... yes 23/25 ... yes 7/26 ... yes 7/27 ... yes 5/28 ... yes 7/29 ... yes 7/30 ... yes 7/31 ... yes 7/32 ... yes 27/33 ... yes 7/34 ... yes 7/35 ... yes 7/36 ... yes 7/38 ... yes 23/39 ... yes 7/41 ... yes 7/45 ... yes 7/46 ... yes 7/48 ... yes 7/50 ... yes 23/51 ... yes 7/53 ... yes 7/54 ... yes 7/55 ... yes 7/56 ... yes 23/57 ... yes 7/59 ... yes 7/60 ... yes 7/62 ... yes 7/63 ... yes 7/64 ... yes 7/65 ... yes 7/66 ... yes 7/67 ... yes 7/68 ... yes 7/69 ... yes 7/70 ... yes 7/71 ... yes 7/72 ... yes 7/73 ... yes 7/75 ... yes 7/76 ... yes 7/77 ... yes 7/78 ... yes 7/79 ... yes 7/80 ... yes 7/81 ... yes 16/82 ... yes 7/84 ... yes 8/85 ... yes 23/86 ... yes Redis version >= 2.8.0? ... yes Ruby version >= 2.3.5 ? ... yes (2.5.3) Git version >= 2.18.0 ? ... yes (2.18.1) Git user has default SSH configuration? ... yes Active users: ... 25 Elasticsearch version 5.6 - 6.x? ... skipped (elasticsearch is disabled) Checking GitLab App ... Finished Checking GitLab subtasks ... Finished </pre> </details> ### Possible fixes https://gitlab.com/gitlab-org/gitlab-ce/issues/25266 << unresolved