Weird behaviour with 2FA codes: first one is never accepted

[Kovah]

Hi all,
I am using Authentik for quite a while now. My personal account is configured to use 2FA via OTP for better security.
However, when logging in, the OTP behaves really strange.

1. I want to login, enter username and password. Then the 2FA prompt shows up. 1Password fills the current code automatically (I checked if it's correct twice) and click login again. Nothing happens. The site just reloads with exactly the same step.
2. When clicking login again with the same (seemingly correct code), I get the error
   Invalid Token. Please ensure the time on your device is accurate and try again.
3. I checked the code twice if it's correct and it is.
4. I have to wait for 1Password to generate a new code. As soon as I enter it, Authentik successfully logs me in.

What I did to find the issue:

• I checked my server time and time zone. It's correct and time zone is set to UTC.
• Even when I pass /etc/timezone and /etc/localtime into the Authentik container, the issue persists.
• When using another code generator, the issue persists (so it's probably not 1Password's fault).
• I have set up a new 2FA like 3-4 times already. The issue doesn't seem to be the actual configured OTP.

The log related to the failed OTP seems to be this:

INF action=login_failed 
auth_via=unauthenticated 
client_ip=192.168... 
context={
"device_class":"totp",
"http_request":{
  "args":{"next":"/"},
  "method":"POST",
  "path":"/api/v3/flows/executor/default-authentication-flow/",
  "request_id":"740ef8b....",
  "user_agent":"Mozilla/5.0 (Macintosh; Intel Mac..."},
  "stage":{
    "app":"authentik_stages_authenticator_validate",
    "model_name":"authenticatorvalidatestage",
    "name":"default-authentication-flow-mfa",
    "pk":"f5c...."},
  "username":"XXXXX"} 
domain_url=XXXXX 
event=Created Event 
host=XXXXX 
logger=authentik.events.models 
pid=59 
request_id=740ef8b.... 
schema_name=public 
timestamp=2025-02-05T08:18:44.727582 
user={"email":"XXXXX","pk":5,"username":"XXXXX"}

I'm quite lost. I have no idea how to debug this and what might be missing.

---

Authentik details:

• Running version 2024.12.2
• Set up via Docker Compose according to the standard setup.