My users are getting the message 'this code is invalid’ when entering the MFA code.

Depending on which scenario you are:

1. Is it with the use of the authenticator app from smartphone?
2. Is it with the use of a USB token key?

First scenario:

When the users are getting the message 'this code is invalid’ when entering the MFA code, it means that you are facing a “time synchronization” issue with your smartphones or your Userlock server:

• If the problem is specific to one user, probably the time in the phone is not synchronized with internet time. So, please, check that the phone time is synchronized with internet time. Or if the machine was offline during the login, please check that the machine is synchronized with the internet time.

• If the problem happens for all users. That means a time synchronization problem in the UserLock server. Please, follow the next procedure to check the time synchronization:

  w32tm /stripchart /computer:us.pool.ntp.org /dataonly /samples:5

  

• If the deviation is confirmed, normally the UserLock server in a domain is time synced with the Domain Controller. So, please check the time sync on each Domain Controller:

  • On the domain controller or NTP server on your domain, type the following commands on PowerShell:

    w32tm /stripchart /computer:us.pool.ntp.org /dataonly /samples:5

    

• Here is a quick way to correct Windows Server time synchronization, configuring the time sync with an external NTP server:

  • Type the following commands on PowerShell:

    w32tm /config /manualpeerlist:pool.ntp.org /syncfromflags:MANUAL
Stop-Service w32time
Start-Service w32time

    

  • Test to open a new session with the protected user and validate the MFA code : it should be ok now.

Second scenario:

When the Yubikey is used to login on the machine, and the machine has no connection with the UserLock server. The key used in the Yubikey and the key used in UserLock to validate the code, it begins a desynchronization. If this situation is repeated more times than the value configured in MaxHotpCodeCount (by default 6), the Yubikey gets desynchronized. You should login from time to time online with connection to the UserLock server to allow an automatic synchronization with the UserLock server. If that is not possible, you can install the UserLock Anywhere to facilitate the connection from the machine and the UserLock server. That will reduce the number of times the Yubikey is used offline.

Please have a look to our online documentation about it : How to install and configure UserLock Anywhere (isdecisions.com)

Or else, a workaround is to change and increase the value in the advanced settings (type F7 in the server console) of the setting “MaxHotpCodeCount”:

“MaxHotpCodeCount”: defines the maximum number of out of sync HOTP codes that can be accepted, it means each time when the Yubikey button is pressed to get a MFA code with the machine offline. So during a day, some users can exceed quickly 6 occurences, if they are used to lock/unlock their session for example or according to their session’ activity.

Note: as a consequence, when “MaxHotpCodeCount” is exceeded, the MFA enrollment must be redone effectively. You can set the value of “MaxHotpCodeCount” to 20 as a start for test. You will have to set an accurate value with the behavior of your users when they are in nomadism outside of your corporate network. So the very best is to implement UserLock Anywhere to maintain a communication through Internet connection between UserLock agents and UserLock servers during long term nomadism user’s sessions, without regular reconnection to your corporate network.