Self hosted Matomo 2FA suddenly stopped working

Self hosted Matomo 2FA suddenly stopped working

I self host matomo server instead of Google Analytics.

Suddenly some time ago I lost ability to log in, because my 2FA codes stopped working. In my great wisdom I also didn't save any recovery codes..

So here it is how to recover from this situation, and what was the main cause.

First, if you don't have recovery codes, 2FA is not working, you don't have any other admin user that can login, you are basiacally screwed :) Unless! You self host it, and have access to shell of a server. If you do then you have to go to main directory of matomo, and issue command:

./console twofactorauth:disable-2fa-for-user --login=YOU_USER_NAME

So this worked:

u-SYS-mon02 :: /var/www/matomo » ./console twofactorauth:disable-2fa-for-user --login=admin
Disabled two-factor authentication for user: admin

Now I wanted to set it up again and find out what went wrong. And this time save the damned codes to keepass!

The first problem was that when setting up 2FA after the final OK there was an error about permissions to the /var/www/matomo/tmp/templates_c/ directory.

This was easy fixed with chmod for group www in my case

Again tried to enable 2FA with Authy, and this time I got constant: Wrong authentication code. Please try again.

Since Matomo is uses TOTP, I checked what time the server is using, and to my surprise, the server is one hour ahead of current time.

ntpdate didn't helped, and this was becasue my timezone was left default to UTC... instead of proper GMT that can change to daytime.

I changed time zone by unlinking UTC and linking Europe/Warsaw

» date
Fri Jan 12 10:37:31 UTC 2024
» unlink /etc/localtime 
» ln -s /usr/share/zoneinfo/Europe/Warsaw /etc/localtime
» date
Fri Jan 12 11:40:05 CET 2024

After this change, 2FA could be setup again and accepeted my one time code from Authy!

Read more