Using 2FA authenticator app also consumes backup 2FA passcodes

[jbusuttil]

Describe the bug
When using 2FA authentication using an authenticator app, after 10 logins, a pop-up message will indicate all backup passcodes have been consumed, and will suggest disabling and re-enabling 2FA to regenerate passcodes.

To Reproduce
Steps to reproduce the behavior:

1. Enable 2FA
2. Log in 10 times with 2FA authenticator app (not using backup passcodes)
3. Observe pop-up message on 10th login

Expected behavior
2FA using authenticator app should not (appear to) consume backup passcodes

Environment (please complete the following information):

• OS: Debian bookworm (12) (running inside LXD container, host OS also Debian bookworm 12)
• n8n Version 1.16.0
• Node.js Version 18.13.0
• Database system SQLite
• Operation mode main

Additional context
[Updated] Vanilla install using npm install -g n8n

[Joffcom]

Hey @jbusuttil,

I have just tried to give this a go using my self hosted install and it appears to be ok, Do you only see this when running from source and which commands are you using to launch n8n?

[jbusuttil]

Correction (my bad): I had installed using npm install -g n8n (not source as originally posted, bug report edited)

n8n is launched from systemd:

[Unit]
Description=n8n v1.16.0 server
After=syslog.target network.target

[Service]
Environment="N8N_CONFIG_FILES=/opt/n8n/production.json" "WEBHOOK_URL=https://[redacted]"
WorkingDirectory=/opt/n8n
ExecStart=/usr/local/bin/n8n start
Type=simple
Restart=always
RestartSec=10
SyslogIdentifier=n8n
User=n8n
Group=n8n

[Install]
WantedBy=multi-user.target

[jbusuttil]

Just to update on this, I disabled and re-enabled 2FA to regenerate the recovery codes, then I continued to log in using the authenticator app (again not using the recovery codes). After 10 logins, the same notification pops up to tell me that all the recovery codes have been used. I've disabled 2FA for the time being.

[Joffcom]

Hey @jbusuttil,

Some good news on this one, This issue was fixed in the 1.20.0 release of n8n with the PR below so an upgrade should get you up and running again.

#7936

[jbusuttil]

Hi @Joffcom - I've just upgraded to 1.20.0 - I'm assuming the 2FA issue is fixed as you've kindly highlighted, so I'll close this and reopen if not. Thanks!

[jbusuttil]

@Joffcom Alas - still seeing the same problem in 1.20.0 - reopening. Notification that all 2FA recovery codes have been used now appears after <10 logins. So far I've seen it pop up after 5 logins (then I reset 2FA) then after 1 login. Again, I've disabled 2FA for now.

Logs:

Dec 15 11:55:34 n8n n8n[802]: Loading config overwrites [ '/opt/n8n/production.json' ]
Dec 15 11:55:53 n8n n8n[802]: n8n ready on 0.0.0.0, port 5678
Dec 15 11:56:02 n8n n8n[802]: Version: 1.20.0
Dec 15 11:56:03 n8n n8n[802]: Editor is now accessible via:
Dec 15 11:56:03 n8n n8n[802]: http://localhost:5678/
Dec 15 11:56:08 n8n n8n[802]: 401 Not logged in
Dec 15 12:02:52 n8n n8n[802]: 401 MFA Error
Dec 15 12:03:05 n8n n8n[802]: 401 MFA Error
Dec 15 12:03:14 n8n n8n[802]: 401 MFA Error
Dec 15 12:03:23 n8n n8n[802]: 401 MFA Error
Dec 15 12:03:36 n8n n8n[802]: 401 MFA Error
Dec 15 12:03:46 n8n n8n[802]: 401 MFA Error
Dec 15 12:06:54 n8n n8n[802]: 400 renewal failed because current cert is not initialized
Dec 15 12:07:05 n8n n8n[802]: 401 MFA Error

[Joffcom]

Hey @jbusuttil

That isn't good I will get the internal ticket opened again.

While it does use up the recovery codes you should still be able to use MFA, the downside though is if you do need to use a recovery code you will need to use the cli to disable MFA for your user.

[Joffcom]

Hey @jbusuttil,

I have just been trying to reproduce this again on a clean 1.22.0 install and this doesn't appear to be an issue now. Can you check again to see if it is working for you as well?

[jbusuttil]

HNY @Joffcom

EDIT version (because typo): I've tested with 1.21.1, but not on a clean install.

Test 1: After enabling MFA, the notification pops up that all recovery codes have been exhausted, as before.

Test 2: I stayed logged in with my original browser (firefox), then I logged in from a different browser (chrome) while MFA was still enabled. I was able to log in and out in chrome repeatedly using MFA + auth app, despite further warning messages that my recovery codes were exhausted.

Test 3: In chrome, which had popped up the warning notification that I had no recovery codes left, I was able to log in using one of the recovery codes.

So a possible explanation is that only the warning notification itself is spurious. Thanks again for your help looking into this!

Logs:

Jan 03 14:58:00 n8n n8n[2770]: Loading config overwrites [ '/opt/n8n/production.json' ]
Jan 03 14:58:29 n8n n8n[2770]: n8n ready on 0.0.0.0, port 5678
Jan 03 14:58:38 n8n n8n[2770]: Version: 1.21.1
Jan 03 14:58:39 n8n n8n[2770]: Editor is now accessible via:
Jan 03 14:58:39 n8n n8n[2770]: http://localhost:5678/
Jan 03 15:42:20 n8n n8n[2770]: 401 Not logged in
Jan 03 15:42:40 n8n n8n[2770]: 400 renewal failed because current cert is not initialized
Jan 03 15:42:56 n8n n8n[2770]: 400 renewal failed because current cert is not initialized
Jan 03 15:44:06 n8n n8n[2770]: 400 renewal failed because current cert is not initialized
Jan 03 15:44:56 n8n n8n[2770]: 401 MFA Error
Jan 03 15:45:05 n8n n8n[2770]: 401 MFA Error
Jan 03 15:45:14 n8n n8n[2770]: 401 MFA Error
Jan 03 15:45:25 n8n n8n[2770]: 401 MFA Error
Jan 03 15:49:25 n8n n8n[2770]: 401 Not logged in
Jan 03 15:49:50 n8n n8n[2770]: 401 MFA Error
Jan 03 15:50:40 n8n n8n[2770]: 401 MFA Error
Jan 03 15:50:58 n8n n8n[2770]: 401 MFA Error
Jan 03 15:51:29 n8n n8n[2770]: 401 MFA Error
Jan 03 15:56:05 n8n n8n[2770]: 401 MFA Error

[Joffcom]

Hey @jbusuttil,

Your log seems to be from 1.21.1 not 1.22.1 are you sure you updated?

For some reason no matter what I do I am not able to reproduce this, How many attempts are you doing before it showed the message? I got up to 30 this time before I was happy it was all good. Do you see the message on every authentication attempt, Is your user the owner or a normal user?

When you enabled MFA did it pop up instantly to say the codes had been used or did it generate new codes for your user?

[jbusuttil]

@Joffcom Sorry - typo in the version number, should have been 1.21.1 (current 'latest' using n8n update at time of writing). I've updated the earlier comment to avoid confusion. (It's a production system, so I'm sticking to prod releases; I don't have a handy spare place to test other versions at the moment.)

(referring to my earlier comment )

Test 1: I logged in 4 times using MFA+app in firefox to get the first notification on the fourth login

Test 2: I logged in 2 further times in chrome using MFA+app to get the notification there on the second login

Test 3: no notification when using an actual recovery code to log in

Logging in repeatedly thereafter with both firefox and chrome using MFA+app only generates the notification intermittently, not every login. No pattern I could discern, every 3-4 logins it seemed.

I didn't receive a notification about recovery codes when I enabled MFA itself other than to download the recovery codes as usual.

My user is the owner.

[Joffcom]

@jbusuttil if I set you up a user on a test n8n instance could you try on that as well and let me know if you can reproduce the issue there as well?

[jbusuttil]

@Joffcom Happy to, let me know what you need me to do 👍

[Joffcom]

Hey @jbusuttil,

Good news, I am not sure how it happened but at some point over the weekend I got the same error. The only thing I noticed was I think the Version of firefox was a bit older. I am getting a new dev ticket made for this now so we can get to the bottom of it.

[jbusuttil]

Thanks @Joffcom - I have an uncanny knack of triggering obscure bugs, thanks for investigating

[NoLooseEnds]

Just chiming in that I also got this now without ever using a recovery code.
I'm currently on v. 1.33.1 (selfhosted). Using Arc browser (chromium based) with 1Password.

[RicardoE105]

I have tried everything mentioned in the thread to replicate the issue, and I have not been able to. @jbusuttil @NoLooseEnds did you keep encountering this issue?

[jbusuttil]

@RicardoE105 The problem became much less frequent in the stable versions released around late January / early February (2024), then went away almost entirely in subsequent stable releases. I think I've only seen the message pop up literally once in the last couple of months as of time of writing.

[NoLooseEnds]

@RicardoE105 When I got the notification from github I tried to force the issue by login in via incognito mode, but got rate limited on the login and did not have time to test until today. And unfortunately I still get the error.

Running 1.41.0

Let me know if you need anything.

[jbusuttil]

Triggered again for first time in a while for me

n8n self-host 1.42.1

Firefox 126.0.1 (64-bit, Windows 10)

[netroy]

I'm not certain if the bug was that the recovery codes were actually getting used up, or if the notification popup was incorrectly getting triggered, but for now the the code that triggered the notification has been removed since 1.45.0.

I think we can close this issue for now. If someone finds an related issue with MFA, we can then re-open this.