Hi there,
I am really sorry to hear about this unexpected experience. It’s not something we see on a regular, however, there are a few troubleshooting steps to take to narrow this one down.
You already did a great job ruling down the server time/sync, that’s usually one of the first things to rule out, and it’s helpful to know NTP is confirmed healthy.
To help us dig deeper and get to the root cause, we have a few follow-up questions:
- Are you running a classic WordPress Multisite installation, or is this a Bedrock-based setup (e.g. via Roots/Trellis)?
- Can you see a pattern in users affected roles maybe? Does this affect all users or just some? Also, are all users using the same log in form to access the site? If so, is that a custom form or the native WP login form?
- Is this affecting all users across the board, or is it limited to existing users who had 2FA already configured? Are any newly enrolled users also experiencing the same ‘Invalid Verification Code’ error?
- The invalid code errors you’re describing are most commonly associated with TOTP (the time-based authenticator app codes). However, we’d like to know: are users also seeing issues when using backup codes, or OTP via email (HOTP)? This would help us narrow down whether it’s specifically a TOTP/encryption issue or something broader.
- Has anything changed in your setup over the past few weeks? Specifically, we’d like to know if the site (or any subsite) was recently migrated – for example, moved from staging to production or vice versa, or if the database was cloned or transferred in any way. This is one of the most common triggers for this type of issue, as the encryption keys used by WP 2FA can become out of sync during a migration.
On that last point, we have a dedicated knowledge base article covering best practices for migrating a site while retaining your 2FA encryption setup – it’s worth a read.
Looking forward to your answers and we’ll take it from there!
Hi,
Thanks for the response, much appreciated.
I have been testing this more and it seems we can get it to work again by deactivating the current 2 factor authentication and deleting it from your phone. Then you need to reset up the 2 factor authentication again from scratch and it is working as it should. With a bit of a confusing issue though; I still get the error ‘Invalid Two Factor Authentication code.’ in the Verification Code field during setup when I first try to verify the code from the phone. But if I wait until a new number is generated and do it again then it does work and seems to be all good from there on. This happens each time.
I have answered your questions here as you have taken the time to write them.
- It is just a standard WordPress multi-site installation.
- All users were affected and it was just a native WordPress login form.
- We only allow login with the two factor authentication active. So in that sense it was affecting everyone who tried to log in. See my note above about resetting the two factor log in, a few times for testing.
- Users could not use email to receive a code to log in as in it is not an option for them deliberatly. People did not try their backup codes. You know what people are like, typically they may not even bother saving these codes. Plus I needed to just give them access quickly so just disabled the 2FA so they could work.
- Nothing major changed in the setup over the last few weeks except for updates to wordpress and plugins. The site is on the same server as it has been for over a year. Nothing has been migrated in or out. I was wondering if it had something to do with daylight saving times that changed last weekend in America. But I asked the server hosts about this and they said,
- The server timezone on Cloudways is always set to UTC and cannot be changed, regardless of your location or the location of your users. This is due to the requirements of centralized orchestration and automation across all servers . Even if your users are in Europe (UTC+0), the server itself will always operate on UTC time. Any changes in daylight saving time in the US or elsewhere do not affect the server’s system time.
Hello again!
Thank you for coming back with such detailed answers – this is really helpful and you’ve done a great job narrowing things down!
Based on everything you’ve described, we have a working theory. The timing of the issue – occurring shortly after the US daylight saving time change -is interesting, and while the server itself is unaffected (as your host confirmed, it stays on UTC), the authenticator app on users’ devices could have been temporarily out of sync during or just after the DST transition. TOTP codes are extremely sensitive to time drift, and even a brief mismatch of 5–10 seconds on the device side is enough to cause “Invalid Code” errors consistently.
The fact that resetting and re-pairing 2FA resolved the issue for users – and that waiting for the next code cycle during setup also fixed things – is consistent with this. It suggests the pairing itself was fine, but the first code generated was caught in a transitional window.
This is also the first time we’re encountering this specific edge case, so your report is genuinely useful for us.
One thing we’d like you to do to confirm all is well now:
Could you try configuring 2FA from scratch with a brand new test user and go through the full setup and login flow? Since some time has passed since the DST change, clocks should have settled – and if a new user can set up and use 2FA without any issues, that gives us good confidence the root cause has passed and existing users simply need to re-pair their authenticator apps.
The slight oddity you’re seeing during setup – where the first code fails but the next one works – is also not the usual, and worth keeping an eye on in case it requires troubleshooting (ideally we need to know if it’s intermitent or always happening). If this persists consistently with the new test user as well, please let us know and we’ll dig further into that specific behaviour.
Looking forward to hearing how the test goes!
If this plugin isn’t going to work randomly and i need to reset it at randoms times I don’t feel comfortable purchasing it, when you solution to a problem is for me to take my time to take it completely off my site and add it back. I don’t have this kind of time to run down every plugin.
I just tried to deactivate and reactivate which didn’t help.
The “reset” option isn’t showing up, so I’m stuck.
