Two Factor Authentication Stops Working

[persistentone 11]

I had a problem a few months ago where I logged into Evernote for the first time in a while and two factor authentication failed to work.   Evernote's website was rejecting the code.  So I entered by an alternate authentication route.  I deleted two factor authentication.  I re-established two-factor authentication.   I tested to make sure it worked and it did.   Now, a few months later, I tried to enter the Evernote website and once again two-factor authentication fails.  What gives?  This looks like a bug.   I use 2FA on many websites.  Evernote is the only one where it is failing to work.

[PinkElephant 8,103]

How sure are you the device you use to generate the cipher code is booked into the right time zone, and has the correct time set ?

A code is valid for 30 seconds only, plus 30 seconds after the countdown has stopped. Even a small offset in the system time can throw the 2FA off the little window when the code is valid.

[persistentone 11]

On 3/5/2022 at 4:47 PM, PinkElephant said:

How sure are you the device you use to generate the cipher code is booked into the right time zone, and has the correct time set ?

A code is valid for 30 seconds only, plus 30 seconds after the countdown has stopped. Even a small offset in the system time can throw the 2FA off the little window when the code is valid.

The 2FA is on a cell phone and the network keeps the time correct.  2FA is working on every other website.  It consistently fails only on the Evernote website.

What is extremely interesting is that when I asked for an alternate authentication - sent by text message to my phone - Evernote sent me an OLD 2FA CODE that I had seen on the 2FA application minutes ago when 2FA was failing on the Evernote website!!   That strongly suggests that there is a clock problem, and that problem is that the cell phone's clock is about 1.5 minutes fast.

Since there is zero chance to get a cell phone company to update its clocks more accurately, could we get Evernote to configure their servers to accept codes generated within a two minute window either side of the correct time?   That's a pretty reasonable time lag.

[PinkElephant 8,103]

You can ask support.

How big is the chance they will lower security for everybody just because your phone company sets a wrong time ? I think it is zero - it would probably even invalidate any security audits they want to pass.

You could do something else: Deactivate 2FA first, and then set it up again with codes send by messaging. This is independent from wrong clock settings.

[Paul A. 618]

1 hour ago, persistentone said:

The 2FA is on a cell phone and the network keeps the time correct.

Try browsing to time.gov on your cell phone and see what it says about your system clock. It will report how far off it thinks your clock is.

Also, what app are you using to generate the 2fa code? Try installing a new app and compare whether it generates the same code at the same time. You could try Google Authenticator and Microsoft Authenticator, for example.