It’s all based on time. If the server time is out of wack or your personal system time is out of wack it won’t be a valid code.
I’ll look into that Fido/U2F
On Feb 26, 2020, at 8:49 AM, ngp ngp@tilde.club wrote:
On Wed Feb 26, 2020 at 3:04 PM, wrote:
If 2FA gets switched on, it should either be optional, or there should be a strategy for account recovery (by previously set alt email e.g.). I've been definitely locked out of servers before because of OTP loss or even bugs in 2FA PAM - although that was quite a while ago.
OpenSSH's latest version also has support for FIDO/U2F. I haven't gotten the chance to use it yet, but it could be a pretty nice alternative to OTP. Second on OTP bugs/lock out. I've been locked out of my email provider because OTP randomly stopped accepting my tokens.