[Bug] TOTP 2FA/MFA binding fails with authenticator app when refresh interval (period) is set to non-30s; misleading “internal server error” #11915
Description
Contact Information
No response
1Panel Version
v2.1.0
Problem Description
When enabling TOTP-based 2FA in 1Panel, the UI allows setting an arbitrary “Refresh interval(s)”, e.g., changing from the default 30s to 60s. The generated QR (otpauth URI) correctly includes period=<value> (e.g., period=60). However, Microsoft Authenticator still rotates codes every 30 seconds (30s countdown shown in the app), so OTP validation in 1Panel fails deterministically during binding, showing: code is not valid.
在 1Panel 启用两步验证时,前端允许用户把“刷新时间”从默认 30 秒改为其他任意值(例如 60 秒),并且生成的二维码会按该值写入 period=<value>。但部分验证器程序(例如 Microsoft Authenticator)只支持 30 秒的刷新间隔,扫码导入后仍固定按 30 秒生成验证码(App 内显示 30 秒倒计时),导致在 1Panel 填入验证码尝试绑定时验证码校验失败,提示 服务内部错误: code is not valid。
Steps to Reproduce
- 面板设置 → 安全 → 两步验证
- 初次开启两步验证时,将“刷新时间”从 30 改为 60(同时点击了“保存”)
- 用 Microsoft Authenticator 扫码添加(此时 App 内显示 30 秒刷新)
- 在 1Panel 输入 Microsoft Authenticator 的 6 位验证码绑定
- 报错提示
服务内部错误: code is not valid
The expected correct result
建议在“刷新时间(秒)”输入框旁增加文字说明提示,说明大多数验证器应用只支持 30 秒的刷新间隔。提示用户“若无法绑定,可尝试将刷新时间改回 30”。
Additional Information
- RFC 6238 标准默认
time-step size即为 30,且推荐使用 30 秒作为间隔。1 - Microsoft Authenticator 官方 FAQ 说明验证码每 30 秒变化一次(但是没有说明可自定义)。2
google/google-authenticator项目 Wiki 提到密钥 URI 格式中,Google Authenticator 会忽略period参数。3
Footnotes
-
https://datatracker.ietf.org/doc/html/rfc6238 ↩
-
https://support.microsoft.com/en-us/account-billing/microsoft-authenticator-faqs-12d283d1-bcef-4875-9ae5-ac360e2945dd?utm_source=chatgpt.com ↩
-
https://github.com/google/google-authenticator/wiki/Key-Uri-Format ↩