Troubleshooting multifactor authentication

Multifactor authentication (MFA) fails with an invalid state ID.

Problem

You can run into the FBTAUT017E Authentication service received an invalid state ID [id]. error when you use MFA to log in to IBM® Sovereign Core.

In addition, when you try to use the 6 digit code to validate, all of the codes generated can be invalid and you might see the following message: FBTOTP337E The submitted one time password is invalid. 1 incorrect attempt(s) have been made. You have 4 attempts remaining.

Cause

The invalid state ID issue is likely due to a timeout while setting up your authenticator app.

The 6 digit codes generated by the authenticator app being invalid is due to most authenticators defaulting to the SHA1 hashing algorithm when SHA256 is required. Also, most authenticators (ex. IBM Verify, Google Authenticator, Microsoft Authenticator) do not provide the option to change the hashing algorithm during a manual entry.

Solution

Make sure you meet these requirements:
  • You have a valid user account in IBM Sovereign Core.
  • You have completed the initial password setup or password reset process.
  • Make sure you have an authenticator app that provides the option to change the hashing algorithm during a manual entry and that it supports SHA256. The following are several authenticators that provide this option, such as, Proton Authenticator, 2FAS Authenticator, Bitwarden Authenticator, or Aegis Authenticator.
Review the following recommendations:
  • Have a messaging app such as Slack or Discord on both the device you're logging in on and the mobile device with your authenticator app and send yourself the text code. This will also reduce the chance of a user input error.
  • If you are sending yourself the text code, temporarily disable the application lock setting on your authenticator app since this could reset your progress when switching between apps as well as slow down the setup.
Use the following steps to resolve the issue.
Note: You may encounter FBTAUT017E Authentication service received an invalid state ID [id]. at any point in the process before you reach the MFA success page. It is possible to continue the setup by refreshing the page. If not, you can try again in a different browser or a private window.
  1. In the authenticator app, click on the new entry button.
  2. Select the Enter Manually option. If you don't have the option and the QR scanner opens up instead, click Enter Manually which is usually at the bottom of the page.
  3. Enter a value of your choice for all required fields except the secret/code/key field, which you will enter later.
  4. Expand the Advanced Options or Additional Options tab and change the algorithm to SHA256.

    If you are using the Bitwarden Authenticator, you have to save the entry first then edit the entry by clicking the 3 horizontal dots next to it to see the additional options.

  5. Log in to the dashboard with your username and password.
  6. When asked to setup biometric authentication, click Not now to proceed to the authenticator app setup.
  7. Copy the code underneath the text Or Enter the code manually into your app into the secret/code/key field in your authenticator app and save the entry.

    If you have a messaging app, copy and paste the code to send it to yourself. On your mobile device, copy and paste the same code into your authenticator app.

  8. Click continue in the IBM Sovereign Core page.
  9. Enter the 6 digit code from the authenticator app to validate.
  10. On the Success page, click Done.
  11. If you see the FBTAUT017E Authentication service received an invalid state ID [id] error, close the browser completely and try logging into the dashboard again with a different browser or a private window.
  12. When asked to setup biometric authentication, click Not now to proceed to the authenticator app setup.
  13. Log in to the dashboard using your authenticator app to make sure MFA works.