International users code not accepted.

[BobFromJamul]

We are currently using Google Authentication for our Multi-factor authentication. However, the system is not accepting the Google code that is being returned to International users with an international phone.

We have done a bit of testing internationally and have found that it is working when a US based Phone and person is internationally based but is not working for an international based phone and person in the same location.

The internationally based user was able to download the app to the internationally based phone, and receive the code when prompted, however, the system does not accept the code. They received a “response Invalid” each time. We tried a few times and got the same results. A US based user and phone was able to receive the code and successfully login to the system.

We have not been able to find any information that limits the use of Google MFA to US based carriers.

[ThomasHabets]

You keep saying "international", but that's not really helping. Is it about timezones? What's the phone clock set to? What are you authenticating with (including version), and against what? Who says "response invalid"?

What does "US based user and phone" even mean?

Please explain things again without using the word "international", and describing exact steps.

You could also try scanning the same QR code on a phone that works and one that doesn't. If they show different OTP codes (assuming TOTP here) then only the one with the correct time set will show the correct code.

I can at least say that carrier itself has nothing to do with how GA works.

[BobFromJamul]

Thomas,

Thank you for your prompt reply. Let me see if I can break it down differently to see if it makes more sense. We are attempting to have users worldwide log into our application through the use of Google Authenticator. These users throughout the world may have different versions of hardware, different carriers, etc.

What has been found is that those users who obtained their phone in the US and is using a US carrier the code provided by Google Authenticator works correctly and the user is granted access to the app. We have also determined that if the user had hardware that they have procured in the US and loaded the Google Authenticator app locally will be able to authenticate.

For users who are outside of the US they have purchased their hardware in their country and their carrier is located within that same country. Those users also use the Google Authenticator app to retrieve their code to use to access the app. Unfortunately when entering these codes the user does not gain access, they instead get the “response Invalid” message.

At the crux of the question is whether Google Authenticator uses a single worldwide code generator and authorization back end. If there was a authorization engine in North America & a code generator in Europe the Authenticator codes generated in Europe would not allow a user to authenticate to an application using the North American authentication engine.

[ThomasHabets]

What does "log in to our application" mean? A website? Do you know that the codes GA generates are wrong, or your app is wrong?

Are you sure the time is set correctly on the phone?

If they try to use GA to set up second factor on a gmail account and it works, but it doesn't work with your website that you coded yourself, then it's probably the latter that's broken.

At the crux of the question is whether Google Authenticator uses a single worldwide code generator and authorization back end. If there was a authorization engine in North America & a code generator in Europe the Authenticator codes generated in Europe would not allow a user to authenticate to an application using the North American authentication engine.

This... is not close to what GA is or does.

The code is generated on the phone and is a function of the time (for time-based tokens) and the secret key. Clearly the time on the phone needs to be correct.

Please take a phone that works, and one that doesn't, and have them scan the same QR code. If they give different codes, then one of the phones has the wrong time set.

[BobFromJamul]

I apologize in advance for having to ask a remedial question, but my phone is on the fritz & I'm not quite sure how to go about the process of scanning a QR code and then retrieving the codes. I've Googled it and I can't find any information on how to go about doing this. Could you please point me to some documentation that would help to show this? Given that you have identified as time dependent does this need to take place at the same moment in order to generate the same code?

[ThomasHabets]

How to scan QR code with GA from app store:

1. Browse here
2. On both "working" and "not working" phone: Open GA app.
3. On both "working" and "not working" phone: Press plus in lower right.
4. On both "working" and "not working" phone: Select "scan a barcode"
5. On both "working" and "not working" phone: Scan QR code

How to check codes:

1. On both "working" and "not working" phone: Open GA app
2. On both "working" and "not working" phone: find the new entry.
3. Are the codes the same?

[ThomasHabets]

I'm not quite sure how to go about the process of scanning a QR code

Then... how are you even using this app?

and then retrieving the codes.

Are you sure you're using this app?

Given that you have identified as time dependent

I have not. I have to guess a lot from what you aren't saying.

does this need to take place at the same moment in order to generate the same code?

No. You need to look at the codes at the same time, but not scan them at the same time.