Generated Code in GA-App wrong about googleauthenticator HOT 4 CLOSED

I also syncronized the time within the settings of the App

What do you mean with "within the settings of the App"?
Please make sure the clock (time+timezone) on the phone (where the GA-App runs) and the clock (time and timezone) on the server where the PHP script runs are both correct.

If you write down the codes from both instances, do you see the same codes, but time-shifted? Like:

This for example shows that both clocks are not in sync, they differ by round about 90 seconds. (199273 on the server is generated 90 seconds later on the phone)

from googleauthenticator.

Thanks for the very quick answer,

I also syncronized the time within the settings of the App

In the Google Authenticator App you can tap on the three small dots and then navigate to the settings of the app and there is the option to sync the time.

And yeah both devices my developer laptop and my smartphone got the same timezone and the quite the same time (+- 1-2 sec).

Does it matter that I develop in an IDE called phpStorm and there always run/execute the code manually every 90 sec on the localhost and not on an dedicated server that runs the code everytime or that the IDE maybe has a problem getting the time correct?

The codes aren't timeshifted here a table:
Mobile: Web:
326067 128803
045516 248723
120239 954993
816807 868054
034907 496025

from googleauthenticator.

After thinking about it, I guess I know the problem.
Are you using exactly the script that you posted above? Because with every run of that script, you generate a new $secret. That of causes generates different codes every time you run it.

If you generate a secret for a user, you have to store that secret in a database for example. And the user has to put that secret into his GA-App.
When this user wants to authenticate with the code as a second factor, you have to get the secret from the database for that user, so the server can generate the same token that the GA-App also generates.

In your script, you always create a new secret, so it changes on every run. Then you cannot generate the same code sequence as the GA-App. Both have to know and use the same secret.

For testing: After you generate a secret, put it into your GA-App, and comment out
$secret = $ga->createSecret();
and set
$secret = 'xxxxxxxx';

Then both sides have the same secret, and will generate the same codes at the same time.

from googleauthenticator.

Oh thanks a lot,

this solved the problem.
Such a easy mistake...

Thanks for answering such quick an solving the problem 👍

from googleauthenticator.