Troubleshooting
In this chapter, you will see some of the issues that occur most frequently when using the the TOTP solution. If the issue you encounter cannot be found in this chapter, we recommend that you refer to the Stormshield knowledge base.
Using hash algorithm SHA256 or SHA512 may generate the error "Wrong TOTP code"
-
Situation: During a user’s TOTP enrollment, the error "Wrong TOTP code" appears.
-
Cause: The Authenticator used does not support the SHA256 or SHA512 hash algorithm specified in the configuration of the TOTP authentication method on the SNS firewall.
-
Solution: In Configuration > Users > Authentication, Available methods tab, on the TOTP (2FA SNS) line, change the hash algorithm for SHA1 and reset the TOTP database. Next, ask your users to follow the TOTP enrollment procedure again.
For more information, refer to Wrong TOTP code - Stormshield Knowledge Base (authentication required).
Authenticating with a TOTP or enrolling for TOTP is not or no longer possible
-
Situation: One or several users cannot or can no longer enroll for TOTP or authenticate with a TOTP.
-
Cause: The date and time on the device on which the user's Authenticator is installed are different from the date and time configured on the SNS firewall.
If a user is already enrolled for TOTP, you can check the validity of the TOTPs that they use. If you notice that the TOTPs in the user's Authenticator appear as valid but the verification on the SNS firewall indicates otherwise, the issue is likely due to the synchronization of the date and time.
-
Solutions:
-
Check the date and time set on the SNS firewall in Configuration > System > Configuration, General configuration tab, under Date/Time settings. If any of the properties are incorrect, change them. As a reminder, we strongly recommend that you enable NTP time synchronization.
-
On the device on which the user's Authenticator is installed, check whether the date and time match those configured on the SNS firewall. They must be completely synchronized.
-