Flow:
2FA works with other login(sso, username/password), so once your main login(sso, username/password) is successful then you will be asked to enter your code and once you provide the correct code generated via authenticator app(google, Microsoft etc) you will be logged in inside Harness.
Background:
Two-Factor Authentication (2FA) can be managed in two ways:
- Individual user: You can set up 2FA for your own User Profile without impacting other user accounts.
- All account users: If you have Manage Account permissions, you can enforce 2FA for all users in Harness. First, you set up 2FA for your own account, and then you can enforce 2FA account-wide in the Harness account’s Login Settings.
Once 2FA is enforced on account level, account users will experience the following changes:
- New members will need to set up 2FA during signup.
- Existing members who do not have 2FA enabled will receive an email with a QRCode, and instructions on how to set up 2FA.
Problem Scenario:
In some case although you followed the steps https://docs.harness.io/article/h0ie5q5lkl-login-settings#enforce_2fa_account_wide to configure the 2FA in the authenticator app and after providing the code you started to see Invalid two factor code. Some of the reason for this behavior:
- Your invitation has expired before you added in authenticator app
- You have multiple user provisioned in harness and you are using wrong secret key to generate the code, This is common in case of using sso authentication and you have alias email
Solution:
-
You can ask your Harness admin to Reset your 2FA(See image below) and delete already setup app and configure it with latest secret key received
-
You can check with your local Harness admin to confirm the user which is provisioned in harness and if you are using the correct secret to generate the code
-
To rule out any issue with authenticator app, you can use your secret key and can generate the code online https://totp.danhersam.com/
