View Issue Details

Jump to NotesJump to History
IDProjectCategoryView StatusDate SubmittedLast Update
0006187SOGoWeb Preferencespublic2026-04-01 20:452026-04-02 07:02
Reportersmortex Assigned Toqhivert  
PrioritynormalSeverityminorReproducibilityalways
Status feedbackResolutionopen 
Product Version5.12.5 
Summary0006187: Regression with TOTP
Description

While working on updating the FreeBSD port of SOGo, I found a regression in the TOTP verification starting with SOGo 5.12.5 (still present with 5.12.6 and 5.12.7):

When signing-in, after typing correct username and password, a valid TOTP is rejected.
As a result, legitimate users cannot sign-in anymore.

Steps To Reproduce
  1. Install SOGo < 5.12.5
  2. Sign in with user, setup MFA
  3. Sign out and sign-in again using TOTP
  4. Upgrade SOGo to >= 5.12.5
  5. Sign out and attempt to sign in again, see that TOTP is rejected
Additional Information

If the user is already signed-in before the update, the QR code displayed on their user preference page change after the update.

Using this QR new code, the user can add a new TOTP on their device, different from the older one, and that will work with the updated version of SOGo.

In my case, the "legacy" TOTP secret is 20 chars long, while the "new" TOTP secret is 32 chars long.

This seems to be related to this change as reverting it allows to sign in using the "legacy" TOTP secret with the latest version of SOGo:
https://github.com/Alinto/sogo/commit/83d4c522f87cfde0ba543837d9b24c3479083ec2

TagsNo tags attached.

Activities

qhivert

qhivert

2026-04-02 07:02

administrator   ~0018434

Hello,
I've tested it and don't reproduce the problem. There is a mechanism for legacy totp code to ensure a smooth transition between <5.12.5 and later versions.
Could you check that the timestamp of your server is properly sync with the global timestamp -> https://www.timestamp.fr/ ?
If not, your code could be only available like 10s instead of 30s leading to error. I got the same problem on one my test server.

Issue History

Date Modified Username Field Change
2026-04-01 20:45 smortex New Issue
2026-04-02 07:02 qhivert Note Added: 0018434
2026-04-02 07:02 qhivert Assigned To => qhivert
2026-04-02 07:02 qhivert Status new => feedback