Has anyone else experienced issues with TOTP MFA codes not being accepted when trying to log into AWS? I've been dealing with it for about a month now, where I often need to input the TOTP code several times before AWS finally accepts it. I'm using `aws-vault`, but I've encountered the same problem in the Console, and it seems to happen across multiple accounts. Initially, I thought my virtual TOTP device might be malfunctioning, so I added a second one, and both generate the same codes. My TOTP key seems fine, but still, the codes are randomly rejected. I see this error clearly in the CLI: `AccessDenied: MultiFactorAuthentication failed with invalid MFA one time pass code`. Any insights would be appreciated!
2 Answers
Have you checked if your clock is synchronized? Since TOTP is time-based, even a slight drift can cause issues with the codes being valid. If you're on Windows, you can try the command `w32tm /resync` to fix the time synchronization.
I hear you, but I’ve had issues only with AWS and my clock is synced using `sntp`. The offsets I checked seem acceptable, so I'm not sure it's a time problem.
What TOTP app are you using? If you're on a Mac, have you thought about trying the Passwords app or iCloud Keychain? Also, if you have Identity Center or IAM users, you can register multiple MFA methods and maybe switch to a passkey instead, since that won't have the time limitation like TOTP does.
Thanks for the tips! I'm using Bitwarden and Keeper for my virtual TOTP, and they sync perfectly, so I don't want to switch apps just yet. I do have multiple MFA methods, but unfortunately, `aws-vault` doesn't support passkeys or hardware keys. It’s really puzzling why these TOTP codes only fail on AWS.
Yeah, I totally agree! A time difference can definitely cause TOTP failures. Even a 30-second discrepancy can throw everything off. Make sure your system clock is in sync.