I just noticed my OTP codes are failing when I am logging in to the forum.qubes-os.org.
Forum software (discourse) says, “Invalid code, each code can be used once”.
My OTP codes that come from the same 2FA device are working for my github account, so that is weird, as it seems to imply there might be an issue with the way discourse software handles OTP?
It could well be a bug. I’d search on meta.discourse.org. That’s the forum for the forum software. We haven’t changed the configuration.
It probably means your 2FA device’s clock isn’t synced accurately enough.
Yeah some websites accept bigger clock offsets than others.
That might be the case, however, timedatectl command reports that my “vault” qube is off just 1 minute. Vault qube is not connected to the internet, and I have set its time using timedatectl tool, picking my city location.
So, 1 minute difference between vault’s clock, and my internet-connected phone’s time can be causing my OTP codes to fail?
If the 2FA device’s clock is off by a whole minute from the website server’s clock (which presumably is accurate), that’s too much for sure. TOTP codes are typically valid for 30 second slices of time. I’d aim for keeping the 2FA device’s clock within 10 seconds of the actual time.
All VMs including those that are offline (except for Whonix based ones) should automatically be getting their time from the ClockVM configured in Qubes Global Settings.
ClockVM, on my qubesos, is sys-net qube.
On the sys-net qube, I can also see this 1 minute offset.
So, timedatectl returns following errors on sys-net:
(sys-net) $ timedatectl timesync-status
Failed to query server: The name org.freedesktop.timesync1 was not provided by any .service files
(sys-net) $ timedatectl show-timesync
Failed to parse bus message: No route to host
How can I resolve this? Is this the cause of my ~1 minute offset in system clock across my qubes? I am running sys-net over a debian-11-minimal template.
I resolved my OTP code issue, here: Definitive guide to time setting & sync in Qubes OS - #15 by tanky0u
To summarize: my system clock seems to have drifted from the UTC clock. The mismatch was around a minute and a few seconds apart. The sys-net qube had its template on a minimal debian-11 template. I created that template following the qubes-os documentation here: Minimal templates | Qubes OS
The guide didn’t mention installing the debian package, systemd-timesyncd. And it wasn’t present in my sys-net minimal debian-11 template. So, as suggested by @rustybird on the afore-linked thread, I have installed systemd-timesyncd package to my minimal debian sys-net template using apt package manager.
I gave my QubesOS a restart, and now my clock is synced, and my OTP codes for this forum are working again.