Troubleshooting TOTP MFA for Secret Server Accounts

Google Authenticator generates tokens based on time synchronization. If Secret Server's clock is inaccurate or unsynchronized with Google Authenticator devices, user token validation may fail during enrollment or login.

Solution A (Preferred)

Ensure that the clock on Secret Server is accurate and synchronized with the device running Google Authenticator. Configure the web servers to synchronize their clocks with a reliable domain controller clock or an NTP server.

Solution B

By default, the token time leniency value is set to zero, meaning the token supplied must be completely accurate. Follow these steps to configure Secret Server to accept tokens that are slightly behind or ahead:

1. Open the web-appSettings.config file and add the following key between the appSettings tags:

   <add key="TOTPLeniency" value="0 or greater value here" />

2. Change the leniency value. We recommend setting this value to no higher than 2.

3. Recycle your IIS application pool. You must recycle your IIS application pool for the setting to take effect.