Introduction

MFA verification fails when code incorrect or device time skew. This guide provides step-by-step diagnosis and resolution.

Symptoms

Typical error output:

bash
Error: MFA verification failed
Invalid verification code
Time-based OTP does not match
Remaining attempts: 2

Common Causes

  1. 1.Certificate or key expired or invalid
  2. 2.Clock synchronization issue between parties
  3. 3.Configuration mismatch between IdP and SP
  4. 4.Policy or rule blocking access

Step-by-Step Fix

Step 1: Check Current State

bash
# Check IAM logs
tail -f /var/log/auth.log
# Verify SAML/OIDC configuration
cat /etc/app/auth-config.yaml
# Test connectivity
curl -v https://idp.example.com/.well-known/openid-configuration

Step 2: Identify Root Cause

bash
# Check application logs
tail -f /var/log/application/auth.log
# Verify IdP connectivity
curl -v https://idp.example.com/status
# Check certificate
openssl s_client -connect idp.example.com:443

Step 3: Apply Primary Fix

```bash # Primary fix: Verify and update configuration # Check IdP metadata curl https://idp.example.com/metadata

# Update SP configuration # Verify certificate validity openssl x509 -in idp-cert.pem -text -noout

# Restart service systemctl restart application ```

Step 4: Apply Alternative Fix

bash
# Alternative: Check logs and debug
journalctl -u application -f
# Enable debug mode temporarily
export AUTH_DEBUG=true
# Test authentication flow
curl -v https://app.example.com/login

Step 5: Verify the Fix

bash
# Test authentication
curl -I https://app.example.com/protected
# Should return 200 or redirect to IdP correctly
# Check audit logs for successful login

Common Pitfalls

  • Not synchronizing clocks between IdP and SP
  • Using expired certificates
  • Incorrect entity IDs or audience URLs
  • Missing required attributes in SAML assertions

Best Practices

  • Implement certificate monitoring and rotation
  • Use NTP for clock synchronization
  • Test authentication flows regularly
  • Enable audit logging for all auth events
  • Authentication Failed
  • Authorization Denied
  • Session Timeout
  • SSO Error