Troubleshooting Two Factor with TOTP

The following troubleshooting guide is intended to explain error and warning dialogs and offer advice for resolving common stumbling blocks when configuring two factor with TOTP.

Troubleshooting should begin by reviewing Two Factor Authentication with TOTP

Error and Warning Dialogs

Registering a Prover (device) has failed due to bad code

The passcode that you have entered does not match the passcode that VTScada expects. There are a few possibilities:

The passcode was not entered correctly
The passcode was not submitted within the allocated time
VTScada and the authenticator are using clocks that are out of sync with each other

If this error is occurring frequently you may be able to resolve it by increasing the TOTP Tolerance Window Width, however, if the cause of this re-occurring error is due to out-of-sync clocks, the most secure solution is to correct the clocks.

Registering a Prover (device) has failed because of a duplicate name

You have attempted to use a Device Nickname that already exists for that user account. User accounts can have more than one device. The first device is typically added by the operator at sign-in time and subsequent devices can be added by a user with Account Modify privileges. Or any administrator with the privilege to access and modified Account Settings. You can see all of the devices registered to a user from the Account Settings.

If you are trying to register a new device with the same name as a device that is registered but no longer used, remove the old device first.
If you are trying to register more than one device with the same name, consider adding a unique identifier to the end of the name. Ex. Phone 1, Phone 2.

Warning: You are about to remove a registered device from a user account

If a device is removed, it can no longer be used to authenticate a user.
Devices can be re-registered after they have been removed. (For example, recovering a lost phone)
If the user account has no registered devices and is not exempt from TOTP, the next time they sign in they will have to provide their password and register a new device.

Exempting a workstation failed because a workstation by that name is already exempt

You have attempted to exempt a workstation by a name that is already on the exemption list.

Confirm that the workstation you intend to exempt is already on the list
Confirm the exact spelling of the workstation you intended to exempt.

Troubleshooting

Users report several failed attempts to enter passcode

The most likely culprit is that the clocks are out of sync so the workstation and the authenticator disagree on which passcode is currently valid. To confirm this, try to increase the TOTP Tolerance Window Width in the Administrative Settings dialog. This will permit the use of a passcode that is one or two steps removed from what the workstation believes is the current passcode. This solution should be temporary. Once you have confirmed the clocks are out of sync, synchronizing them should be the priority.

This scenario illustrates a good reason to have a break-glass account. If the clock on one or more servers has fallen significantly out-of-sync and cannot be corrected all TOTP authenticators would generate mismatched passcodes. In this case, the break-glass account would give you emergency access to take corrective action.

Passcodes are one-time use. VTScada does not let you sign in with the same TOTP code more than once, even if the code is still current. If you sign in, out and in rapidly the passcode will fail even if it is current. When registering a device, you are asked immediately to provide a code to complete registration of a device. If you try to use the same code to sign in shortly after, it will fail. You will have to wait 30 seconds for a new code to be generated.
This is by design to mitigate the risk of replay attacks. If someone knows your password and is watching you as you type in your OTP code, they cannot quickly log in from another device with the same code.