Where to find 6 digit Authenticator code

Topic

New Reply

I have struggled with the Authenticator concept for a year even after numerous Woody and Google searches.

1. After signing into a web site and requesting set up of Google or Microsoft Authenticator that you installed on your phone, you get a QR code showing on the WEBSITE screen? Right?
2. You then take a picture of the QR display, but then how do you get the picture into the Authenticator app? Does the app automatically pick it up from the camera or do you open the app and paste it?
3. Ok so at that point you have everything initialized. The secret key that enables instant generation of a 6 digit one time code is known to the web site and is in your phone app. Now at a later time you sign into the website and enter your ID/Pswd as normal. Then the Web MFA comes back asking for the 6 digit authenticator code. Where is it? Does the web site send a request to the app to display it or do you have to first open the app?
4. Then of course you type the code onto the web site line – I got that!
5. I know there are other things like saving the original QR code for transfer to a new phone, but I just could not get pass the previous questions.

I hope this helps others with same confusion as it looks like this and other MFA types will be needed in the future and none of the help articles seem to answer these specific questions.

Reply | Quote

Replies

J9438 wrote:

After signing into a web site and requesting set up of Google or Microsoft Authenticator that you installed on your phone, you get a QR code showing on the WEBSITE screen? Right?

You then take a picture of the QR display, but then how do you get the picture into the Authenticator app? Does the app automatically pick it up from the camera or do you open the app and paste it?

Usually you are given two options. One way is to use a “seed”. The seed is a long set of characters that you can copy from the site and paste in to your app (and use as an emergency backup). The other is the QR code. It is just an easier way for the user to get a new seed code without having to copy or paste anything. The app uses your camera to take the picture and automate the process. I prefer to copy the seed code and save it, so that I have a backup and so that I can add that to other devices and/or apps.

J9438 wrote:

Ok so at that point you have everything initialized. The secret key that enables instant generation of a 6 digit one time code is known to the web site and is in your phone app. Now at a later time you sign into the website and enter your ID/Pswd as normal. Then the Web MFA comes back asking for the 6 digit authenticator code. Where is it? Does the web site send a request to the app to display it or do you have to first open the app?

First you open the app. The 6 digit code is showing up with a 30 second clock ticking down. You are given a new code every 30 seconds. If you are using Google or Microsoft apps, you will have to manually type the code in while reading from your app. It depends on both devices having the correct time.

Then, there are more automated methods of entering the codes. Personally, I use Roboform Password Manager. It generates the code and it will auto fill the code for me. Here are some other password managers that support 2FA:
https://www.tomsguide.com/us/best-password-managers,review-3785.html

2 users thanked author for this post.

J9438, RetiredGeek

Reply | Quote

I use the QR all the time, but I do it on my PC because I use KeePass as the authenticator rather than use a separate app on my phone. I use a plug-in in KeePass to read the QR.

cheers, Paul

1 user thanked author for this post.

J9438

Reply | Quote

J9438 wrote:

You then take a picture of the QR display, but then how do you get the picture into the Authenticator app? Does the app automatically pick it up from the camera or do you open the app and paste it?

Your default phone camera app can’t scan QR so can’t get the code.
You should launch your Authenticator app and scan the QR code.
Example : https://www.youtube.com/watch?v=gSKTIAM45dI

1 user thanked author for this post.

J9438

Reply | Quote

PL1 wrote:

First you open the app.

Thanks so much, PL1, for great information and answering my questions in a way that I can understand.

In other research I had found that both the web site and the app use their clock time plus the key to calculate the 6 digit code. I wonder, though, what happens when the web site is in a different time zone from the user’s PC and also what happens with daylight savings time changes. Seems like that would mess up the two calculations that must be the same for authorization?

I also did not realize pass word managers could act as authenticators as you mentioned Roboform and Paul T mentioned KeePass.

You also mentioned saving the initial QR seed. Another thread seemed to suggest that the copy could be opened on the desktop and camera copied by another authenticator on another phone such that there would be a backup phone to use. Of course that copy would have to be kept in a very, very safe place.

1 user thanked author for this post.

PL1

Reply | Quote

J9438 wrote:

n other research I had found that both the web site and the app use their clock time plus the key to calculate the 6 digit code. I wonder, though, what happens when the web site is in a different time zone from the user’s PC and also what happens with daylight savings time changes. Seems like that would mess up the two calculations that must be the same for authorization?

I believe the time is based on UTC (Coordinated Universal Time), but that is just a guess. I’m not sure of the intricacies.

J9438 wrote:

You also mentioned saving the initial QR seed. Another thread seemed to suggest that the copy could be opened on the desktop and camera copied by another authenticator on another phone such that there would be a backup phone to use. Of course that copy would have to be kept in a very, very safe place.

Keeping a copy of the QR image is definitely an option. I just prefer to use the seed key code since I have a dozen or so seeds that I have printed out and kept in my fireproof safe. Plus, the seed key codes are viewable in my Password Manager.

1 user thanked author for this post.

J9438

Reply | Quote

PL1 wrote:

I believe the time is based on UTC (Coordinated Universal Time), but that is just a guess. I’m not sure of the intricacies.

Correct!

All internet/computer time is based on UTC, which gets “adjusted” to the local time zone that’s set in each individual PC/server.

Since “most” PC’s*, and all cell phones, use the internet to synchronize their time the “time stamp” authenticators use will always be the same and the 6 digit code they create will match.

* if you disable the PC’s “synchronize internet time” setting or it isn’t connected to the internet for an extended period (more than a month or so), the authenticator codes might not match.

2 users thanked author for this post.

J9438, PL1

Reply | Quote

Paul T wrote:

I use the QR all the time, but I do it on my PC

I also much prefer using the desktop and was researching that but one thread on Woody mentioned that Authy was discontinuing its desktop version so if that is a trend that is concerning.

And as I said to PL1 above I did not realize a password manager could also do the authenticator thing. Great to know!

I forgot to ask but I guess the authenticator must provide a list to choose from for the code if you have multiple web sites using the same app.

I Googled KeePass since I was not familiar with it and found something interesting. It quoted a Wikipedia article that said, “A 2019 Independent Security Evaluators study described KeePass as well as other widely used password managers as being unable to control Windows 10‘s tendency to leave passwords in cleartext in RAM after they are displayed using Windows controlled GUI.” That does not sound very secure.

Reply | Quote

Alex5723 wrote:

You should launch your Authenticator app and scan the QR code.

That is what the help manuals never say! They just take a picture. Thanks. Maybe that was obvious but I was already so confused at that point even the obvious was shrouded in mystery!

I really learned a huge amount, too, from the thread 2648168. That was a lot to absorb but shows how confusing this is to someone that has never used it. It is concerning too that all those non Woody users may never figure this out and already I have one web site that offers either authenticator or no MFA at all and I found another government website that now requires it period.

Reply | Quote

J9438 wrote:

1. After signing into a web site and requesting set up of Google or Microsoft Authenticator that you installed on your phone, you get a QR code showing on the WEBSITE screen? Right?

Yes. It shows a QR code which has the “seed code” or “secret key”. For example, you can take the QR code to a website that will translate it. The secret key in the QR code might be “FgfdkCe24b8Sd24kl498d”. Some websites now give the code since many are not using phone.

J9438 wrote:

2. You then take a picture of the QR display, but then how do you get the picture into the Authenticator app? Does the app automatically pick it up from the camera or do you open the app and paste it?

Typical you have to open the app and take the picture of the QR code from the app. This way the app translate the QR code to the  secret code. Some older apps need to open the photo to load into the app.

J9438 wrote:

Ok so at that point you have everything initialized. The secret key that enables instant generation of a 6 digit one time code is known to the web site and is in your phone app. Now at a later time you sign into the website and enter your ID/Pswd as normal. Then the Web MFA comes back asking for the 6 digit authenticator code. Where is it? Does the web site send a request to the app to display it or do you have to first open the app?

No. It is not sent to the app. The server or website create a code separately. The app uses the secret code and time on computer/phone to generate the 6 code. For example, secret code is “FgfdkCe24b8Sd24kl498d” and time is 11:45:34AM. Server use that info to generated this code “345678”. App use that info to generated this code “345678”. You type the code into. Server check that code match and let you into the website.

If the time is off, let say your computer/phone is running 30 seconds later 11:45:<span style=”color: #ff0000;”>04</span>AM. It will generated this “903457”. But the server will have the correct time and will generated  “345678”. When you type “903457” but it does not match “345678”, it will not let you in.

There is a flaw with the time cycle that hackers have use exploit to bypass 2FA and get into accounts. They are able to generated thousands of codes and sent them to the websites in a few seconds that bypass it. This is why 2FA has been obsolete for over 10 years now. IT has not public acknowledge that since do not want to cause panic for people.

 

 

J9438 wrote:

5. Then of course you type the code onto the web site line – I got that!

Ok. Good that you understand that.

 

J9438 wrote:

6. I know there are other things like saving the original QR code for transfer to a new phone, but I just could not get pass the previous questions.

The best way is to have the “secret code” or “seed code” save in a save place. IE on two or three USB key that is lock in a safe deposit or other safe location in different locations to be safe. This way you can transfer to a new phone or new Auth app. If your old phone gets broken, you will not be able to get into your account to get the code. After that, will need to hire a hacker to get back into your account.

 

Hope this clear info for you.

2 users thanked author for this post.

PL1, J9438

Reply | Quote

fghtyu wrote:

Hope this clear info for you.

Very, very clear. Very, very helpful. Many thanks.

Very scary, though, about the generation of thousands of codes to trick the web site. Don’t most web sites lock you out after 3 or tries? On another post on Woody I remember seeing that it would take a fast PC 19 years to crack a 6 digit code. If so I guess they could get lucky with the first 3 tried?

Of course, the good thing I like about the authenticator is that both the userid and password has to get through before getting to the authenticator (I know passwords are losing credibility but at least with the 2 that is better than no protection). And of course passkeys and USB sticks are a whole other discussion.

Reply | Quote

J9438 wrote:

On another post on Woody I remember seeing that it would take a fast PC 19 years to crack a 6 digit code.

That was in connection with passkeys, where a locally stored Windows Hello PIN is protected by TPM 2.0 (and also applies to a Bitlocker PIN):

b wrote:

J9438 wrote:

Humm. On a Google search one site “LogMeOnce” has the summary that they can crack a 6 digit PIN instantly.

Not with TPM 2.0 anti-hammering. Six digits would take 19 years.

Reply | Quote

PL1 wrote:

I have printed out and kept in my fireproof safe

But is the safe “safe”? A few years ago I researched buying a home safe and found videos of burglars stealing the safe, taking it to a remote location, and pounding off or torching off the hinges.  On the local news they even show thieves stealing ATM machines after pulling them out of the building with a chain and truck.

I plan to keep my codes in a bank safe deposit box although even those have some risk as well as being inconvenient to access. Perhaps keys on an encrypted disk inside a home safe might be a good alternative. I also worry about cloud storage with all the companies being hacked.

1 user thanked author for this post.

Steve

Reply | Quote

n0ads wrote:

Since “most” PC’s*, and all cell phones, use the internet to synchronize their time

Interesting. My PC is 3 minutes behind my cell phone. On the time setting menu, Win 10 Home, the button for “Set Time Automatically” is on.

However, the “Synchronize your clock” has a caption “Last sync … 2019” and a button that says, “Sync Now”.

I clicked the button and it says, “Failed, no time server specified” but there no way to specify a server!!

I found another link that opens a window that shows a choice of time.windows.com or time.nist.gov but clicking the UPdate button next to either one I get “Unable to start windows time service”.  No wonder I am off 3 minutes.

Reply | Quote

See this post for details on setting a time server.
https://stackoverflow.com/questions/22862236/how-to-sync-windows-time-from-a-ntp-time-server-in-command

cheers, Paul

1 user thanked author for this post.

J9438

Reply | Quote

Alex5723 wrote:

Your default phone camera app can’t scan QR so can’t get the code

Not the case on all the phones I use. Using the camera to view the QR shows a link to the text which you tap.

J9438 wrote:

Authy was discontinuing its desktop version

That’s why I moved my codes to KeePass.

J9438 wrote:

A 2019 Independent Security Evaluators study described KeePass as well as other widely used password managers as being unable to control Windows 10‘s tendency to leave passwords in cleartext in RAM

Nothing can hide clear text in Windows. This is a Windows issue that password managers get around by keeping the passwords encrypted until they have to be used. They also overwrite the memory used for storing the passwords once the password is used, to prevent the data being swapped to disk.

cheers, Paul

1 user thanked author for this post.

J9438

Reply | Quote

J9438 wrote:

Very scary, though, about the generation of thousands of codes to trick the web site. Don’t most web sites lock you out after 3 or tries? On another post on Woody I remember seeing that it would take a fast PC 19 years to crack a 6 digit code. If so I guess they could get lucky with the first 3 tried?

That was old info. With current generation of computers now, it takes almost instantly to get by a 6 characters with numbers only with brute force attack. (See image below). For password, most websites do lock you out after 3 tries  since it is very easy to  figure out password with brute force. There is no locked out for 2FA.

1 user thanked author for this post.

J9438

Reply | Quote

clan wrote:

There is no locked out for 2FA.

Wow. No lock out for 2FA? Then it would seem a 16 mixed char password is safer than an authenticator or passkey code. At least with Authenticator you have both a password and the authenticator code.

Reply | Quote

J9438 wrote:

Wow. No lock out for 2FA? Then it would seem a 16 mixed char password is safer than an authenticator or passkey code.

That’s not a logical conclusion. Both are safer than a password.

1 user thanked author for this post.

J9438

Reply | Quote

Paul T wrote:

See this post for details on setting a time server.

That sequence is a bit above my level of confidence. I am not sure if I would not make it worse.

One note though I have 2 other PC’s that were updated to Win 10 from Win 8.1 and their time sync function works fine. However, my laptop OEM is the one that won’t sync and that last sync date I mentioned is the date I bought the PC new. That makes me think there was a bug from the beginning, and I just never noticed before now since time only off 3 minutes.

So I guess it must be a bad time file in windows. Fortunately it won’t affect the purpose of this thread because I realized the Authenticator code calc using time is from the time in the cell phone which matches all other time sources I have.

Reply | Quote

It’s a simple procedure that you can easily change if it’s not right. It won’t make the problem worse than t already is.
Give it a go and see how it works – ask here if you want extra confirmation.

cheers, Paul

1 user thanked author for this post.

J9438

Reply | Quote

clan wrote:

There is no locked out for 2FA.

I set up one account with the Authenticator. I went to set up a second account but did not realize I had to click “scan a qr” at the bottom of the screen so it kept generating a code for my first account. After 3 attempts using the wrong code it did lock the account for too many tries.

So I guess it depends on the web site.

Reply | Quote

Paul T wrote:

It’s a simple procedure

Well, there were several different solutions, all confusing to me. Also I found a Microsoft help file and it said MUST stop Windows Time Service before making changes and I could not find how to stop Win Time Service.

But on a brighter note in all of that I found what seems to be the kernel, w32tm.exe. I tried clicking that and nothing happened. It is also coincidental that w32tm.exe is showing modified at same date I bought PC and same date of last sync so maybe I just have a bad module?

I wonder if that module is common to Win 10 so maybe I could just copy it from my other PC to this one or download from MS?

In any case I am not going to worry about it as it has been this way for ever and I only thought it was a problem with the authenticator calc which is now no problem since that uses the cell time that is correct.

Reply | Quote

J9438 wrote:

w32tm.exe. I tried clicking that and nothing happened

You have to run it from an elevated Command Prompt. It is not a GUI program.

The commands are shown in the first reply in the thread I linked above.

net stop w32time
w32tm /config /syncfromflags:manual /manualpeerlist:"0.it.pool.ntp.org 1.it.pool.ntp.org 2.it.pool.ntp.org 3.it.pool.ntp.org"
net start w32time
w32tm /config /update
w32tm /resync /rediscover

To open an elevated Command Prompt use these keystrokes:
Win r
cmd
Ctrl Shift Enter
Select Yes in the UAC pop up.

cheers, Paul

1 user thanked author for this post.

J9438

Reply | Quote

b wrote:

That’s not a logical conclusion

My old logic, yes, concluded passwords were the least safe but when clan’s chart above showed a 16 char mixed password taking decades to break and that is protected by the “3 tries” test of most websites BUT a 6 digit authenticator code can be broken in seconds and according to clan is NOT protected by “3 tries” test, my logic changed.

Perhaps I misunderstood.

If “3 tries” are applied separately to BOTH password and authenticator on one sign in, then that seems like a great security but of course more trouble to use.

Reply | Quote

J9438 wrote:

My old logic, yes, concluded passwords were the least safe but when clan’s chart above showed a 16 char mixed password taking decades to break and that is protected by the “3 tries” test of most websites BUT a 6 digit authenticator code can be broken in seconds and according to clan is NOT protected by “3 tries” test, my logic changed.

The way I look at it is, the bad actor would have to have your UID/PW and a revolving 6 digit pin that expires every 30 seconds. That is certainly more secure than a UID/PW by itself.

If someone broke into my PC and was able to get by my 20 digit PW (or my fingerprint) for my PW Manager, THEN, they would have everything they would need to log in to my sites. I really don’t think my home PC is THAT important. 😁

1 user thanked author for this post.

J9438

Reply | Quote

Paul T wrote:

The commands are shown

For

Paul T wrote:

net stop w32time

I got “The Windows Time service is not started.”

For

Paul T wrote:

w32tm /config /syncfromflags:manual /manualpeerlist:”0.it.pool.ntp.org 1.it.pool.ntp.org 2.it.pool.ntp.org 3.it.pool.ntp.org”

I got  “The following error occurred: Access is denied. (0x80070005)”

Hey, I really appreciate your taking so much time to help on this but since the time function works and is only 3 minutes off I am not sure it is worth any more time spent on this when you have a ton of other Woody threads to deal with.

Many, many thanks.

Reply | Quote

J9438 wrote:

Access is denied

You need to run in an elevated (admin) Command Prompt.

Win R
cmd
Ctrl Shift Enter

cheers, Paul

1 user thanked author for this post.

J9438

Reply | Quote

Paul T wrote:

You need to run in an elevated (admin) Command Prompt.

I am signed in as Local Administrator. I still get the error. Perhaps the problem is that maybe I forgot to mention this is Win 10 Home.  Perhaps the Home edition won’t support that type of cmd?

However, I did discover by turning off “Set Time Automatically” in” Settings/Time and Language”, and then the “Set the Date and Time Manually” opened the “Change” Button. So yesterday I did that and set the time to same as my cell phone time. Today the two times are still the same with the “Set Time Automatically” set to On. It did not give me an option for seconds so I don’t know if the Automatic takes care of that.

Thanks again for your help.

Reply | Quote

J9438 wrote:

Perhaps the problem is that maybe I forgot to mention this is Win 10 Home. Perhaps the Home edition won’t support that type of cmd?

Nope, it’ll work for all versions of Windows as long as the cmd prompt is run as admin (i.e. it should look like this.)

J9438 wrote:

I got “The Windows Time service is not started.”

That’s because the net stop w32time command attempted to stop the Time Server Service but couldn’t because it wasn’t running (i.e. it was already stopped!)

Since it was already stopped, the other 4 commands “should” have worked to set it to auto-sync with one of the NTP master clocks listed and restarted it.

Just FYI, all the clocks in @Paul T‘s list are in Italy so, if you’re in a different part of the world, you’ll want to use one closer to home to avoid any possible synchronization issues due to network delays in retrieving the data.

Here’s the US Time Server’s list and UK Time Servers list or you can Goggle for a list in whatever area of the world you happen to be in.

1 user thanked author for this post.

J9438

Reply | Quote

Well spotted. That line should be:
w32tm /config /syncfromflags:manual /manualpeerlist:"0.pool.ntp.org 1.pool.ntp.org 2.pool.ntp.org 3.pool.ntp.org"

cheers, Paul

edit: fixed double quotes

Reply | Quote

Running the command Prompt as Administrator doesn’t just mean being logged with an ID that is an administrator .
To run the Command Prompt “as Administrator:”
In the taskbar search box, type cmd.
Right click on the cmd.exe in the answer box and choose “Run as Administrator.”

1 user thanked author for this post.

J9438

Reply | Quote

n0ads wrote:

you’ll want to use one closer to home to avoid any possible synchronization issues

Whew! I did not see a clock referenced in the script Paul listed. I thought his script just kicked off my Win to sync the clock since it had not been synced since 2019 and was off 3 minutes.

I looked at ControlPanel/Clock and Region/Date and Time/InternetTime and it shows “The computer is set to automatically sync with ‘time.windows.com'”. If I select change it offers that along with “time.nist.gov”. I tried selecting ‘time.windows.com’ and update with sync and got error “Unable to start Windows Time Service”.

Regardless of which, I did not see anything in Paul’s script to select one of those and which one to use. (Maybe after opening the config/update it gives me a choice?

Thanks for pointing this out.

Reply | Quote

PKCano wrote:

To run the Command Prompt “as Administrator:” In the taskbar search box, type cmd.

Ah, that is the trick, but there was a difference between Paul’s and your approach.

Paul said to click Win + r and type cmd there, which opened a black DOS screen where I entered Paul’s script.

You said type cmd on the Win search box which then opened a Win Command Prompt selection list where I then saw the “Run as Administration”

Whew! So many tiny details.

Many thanks.

Reply | Quote

J9438 wrote:

Paul said to click Win + r and type cmd there, which opened a black DOS screen where I entered Paul’s script.

But he added Ctrl Shift Enter, which would have opened Command as administrator.

1 user thanked author for this post.

J9438

Reply | Quote

n0ads wrote:

Nope, it’ll work for all versions of Windows as long as the cmd prompt is run as admin (i.e. it should look like this.)

I was able to start and resync with “time.window.com” on my older Win 8.1 converted to Win 10 PC.

But on the newer OEM Win 10 Home I get the screen attached below. Note the time is still ok except maybe for the “seconds” after I did the Win manual update yesterday.

 

Reply | Quote

That message suggests the time service is broken – thus your issue.

Press Win and type service.
Select “Services, System” from the list to run the Services app.
Scroll down to “Windows Time”.
It should be running with a startup type of “manual”.
You can try starting it from the Services app.

If it won’t start you may need to run the Windows cleanup fixes.
sfc /scannow
DISM /Online /Cleanup-Image /RestoreHealth

cheers, Paul

1 user thanked author for this post.

J9438

Reply | Quote

 

Paul T wrote:

That message suggests the time service is broken – thus your issue.

Now with Woody’s help and a lot of Google search and Microsoft articles. it is obvious that on both my Dell and HP PC’s, Windows Time Service was never started from brand new right out of the box and has been off for on both for a decade. (See Attachment)

Can someone from Dell and HP please tell me why? Is this just not necessary for anything except high tech usages?

One article mentioned that Windows Time Service is not very accurate and to make it accurate a value “0” has to be inserted at “MAXALLOWEDPHASEOFFSET.

And if it is not necessary so therefore the default set to off, where is the PC getting its time from? One article said the OS will find a time server on the network (my home ISP?). If the Windows settings function “Set time automatically” is getting it daily from the ISP then perhaps that is blocking the time sync function and/or turning on Windows Time Service? If so that begs the question as to the level of accuracy of the ISP -seconds, milli seconds?

Reply | Quote

Here’s how my W32Time server is set:

And here’s how my Internet Time sync is set:

To change the w32Time service, Press WinKey + R, enter Services.msc and press Enter

Scroll down to Windows Time, right-click and select Properties.

Change the Startup type: and click OK.

¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯
To change the time server you sync with, Press WinKey + R, enter timedate.cpl and press Enter.

Select the Internet Time tab.

Click the Change settings… button.

Check the Synchronize with an Internet time server box.

Use the Server: dropdown to select your preferred time server.

Note: it it’s not listed, highlight an entry and “manually” type it in to add it to the list.

Click OK twice to exit.

1 user thanked author for this post.

J9438

Reply | Quote

b wrote:

But he added Ctrl Shift Enter,

You are absolutely correct. My mistake. My apologies, Paul. As soon as I typed the cmd I got the screen with the OK which distracted me from going back to read the next line of the script so I clicked OK and thus went down the wrong path.

 

1 user thanked author for this post.

b

Reply | Quote

n0ads wrote:

To change the w32Time service,

Since I still have no figured out why I cannot do anything to time on just this one PC everything is grayed out.

n0ads wrote:

To change the time server you sync with

This one is already okay as this would be the server I would want (I think??)

Thanks again for your help including the previous replies!!

Reply | Quote

J9438 wrote:

Since I still have no figured out why I cannot do anything to time on just this one PC everything is grayed out.

If you’re willing to manually edit the registry, the Startup type: can be changed to Automatic (Delayed Start) as follows.

WinKey+R, enter regedit, press Ctrl+Shift+Enter to Run as administrator and goto the following location.

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\W32Time

Change the Start value from 3 to 2.

Exit regedit and reboot to see the change.

FYI, here’s a list of all the possible Start values for services.

0 = Boot (started by System Loader)
1 = System (started by IOInitSystem)
2 = Automatic (started by OS at start-up)
3 = Manual (manually started by user/app)
4 = Disabled (cannot be started)

Note: Start types 0 & 1 are only valid for device drivers!

1 user thanked author for this post.

J9438

Reply | Quote

In Services.msc can you manually set the settings like this then start the Windows Time Service?

1 user thanked author for this post.

J9438

Reply | Quote

The problem is @J9438 indicated that’s not possible for them because all the options to do it that way are grayed out!

2 users thanked author for this post.

J9438, PKCano

Reply | Quote

Paul T wrote:

sfc /scannow

Ran it and it said fixed a lot of stuff.

Paul T wrote:

DISM /Online /Cleanup-Image /RestoreHealth

Ran it no results

Both of my Win 8.1 upgraded to Win 10 work perfectly. Am able to stop and start Win Time. The newer OEM Win 10 seems to be a permission problem. A lot of people report the same error 0x80070005 in a Google search. Most just said to use the DISM or some complex Registry Key change, which for me is just too dangerous with something that has not been a problem for years.

Thanks so much for all the help and Iwill keep looking for permission fixes. However, fortunately my purpose for this thread was to do an Authenicator key and that was a huge success.

My takeaway on this is that the Windows Time is not real critical to most users and only needed if one has a desktop app that MUST have EXACT time and even that needs the added registry key MAX… mentioned earlier.

Reply | Quote

J9438 wrote:

only needed if one has a desktop app that MUST have EXACT time

Windows needs accurate time for authentication (TOTP generation is one type). 60 seconds out will break TOTP.

Try running SFC again and reboot.
Try n0ads simple registry change and reboot.

cheers, Paul

1 user thanked author for this post.

J9438

Reply | Quote

Paul T wrote:

Try n0ads simple registry change and reboot.

Decades ago I had a popular antivirus program that had a “Registry Cleaner”. When I used it, it trashed my computer, so I have dreadfully feared messing with the registry since.

However, n0ads instructions seemed simple enough so I gave it a try and rebooted as you suggested.

WALA! IT WORKED.

Although oddly the Windows\ Settings\ Date and Time\sync still fails and showing not synced since 2019 – but who cares with Windows Time Service running. And the time source still showing “Time.Windows.com”.

Also Window Time Service Properties is still grayed out – but again who cares.

Thanks again. Woody people are the greatest!!

Reply | Quote

J9438 wrote:

Although oddly the Windows\ Settings\ Date and Time\sync still fails and showing not synced since 2019

Open Task Scheduler (WinKey+R, enter taskschd.msc and press Enter) and goto Task Scheduler Library > Microsoft > Windows >Time Synchronization and ensure the ForceSynchronizeTime & SynchronizeTime tasks both show a Status of Ready.

J9438 wrote:

This one is already okay as this would be the server I would want (I think??)

Also, clicking the Update now button on that Internet Time tab will force a new time synchronization attempt but be aware, the time.windows.com server is maintained by Microsoft and is known to sometimes have issues synchronizing time with PC’s.

I’d suggest you change it to one of the NIST (National Institute of Standards and Technology) time servers from the list in my post #2694699 as they’re way more reliable!

1 user thanked author for this post.

J9438

Reply | Quote

n0ads wrote:

ensure the ForceSynchronizeTime

True, but notice the Force was not run since 1999 while the other ran on the 9th before I did your registry key. I guess that was the normal scheduled sync with whatever time service.

n0ads wrote:

I’d suggest you change it to one of the NIST

Update failed for any source.

Thanks again. You really know your stuff and are a great teacher!!

Reply | Quote

Well I went back and did another SFC which found no errors this time.

Then I tried the time source update again and it worked this time but the w32tim still grayed out.

So if it is syncing  now then that is all I can ask for and makes possible any time based functions.

Thanks again for all the help from you Woody people!!

Reply | Quote

I would test it again over the next week to see if it still works – and check if the scheduled tasks are successful.

cheers, Paul

1 user thanked author for this post.

J9438

Reply | Quote

I don’t want to use up any more of anyone’s time, but I did find one more possibility in the large number of Windows Time errors reported on a Google search if anyone still curious.

One article mentioned another registry key.

So I compared that set of keys on my broken PC with my PC that works fine.

My PC showing

On the PC that works there is an additional key between “Resolve Peer…” key and “Signature Auth…”

That additional key is “RunOnVirtualOnly” Value 0

Could this be needed to permit changes to w32time? I don’t want to just add it in without knowing or I might just be adding to the problem already there. Thanks.

Reply | Quote

Synchronization works just fine on my system and there’s no such key in the registry.

FYI, key value = 0 normally means the item controlled by it is disabled.

1 user thanked author for this post.

J9438

Reply | Quote

Possibly because the OS install of the machine with no permission to change w32tm is two years older than the OS install of the machines with permission (although build numbers are the same) , then maybe the permission structure was changed on the newer OS or a bug fixed.

In whatever case the timer is running and synchronizing with the registry change n0ads gave me so that will satisfy future requirements of desktop TOTP apps.

There are so many reports on Google (for example – My W10 computer is unable to sync time (sync failed). I found that the time service is not running. When I try to start it, I get “Access is denied” – even in an Administrator shell: ) that perhaps it is a known problem that MS just has not had time to fix.

Thanks again to all helping on this.

Reply | Quote

J9438 wrote:

I get “Access is denied”

I can start the “Windows Time” service from the “services.msc” console without issue.
As you are denied you are either not an administrator on that box, or there is some file / permission corruption. The best way to fix that is to reinstall Windows over the top.

cheers, Paul

1 user thanked author for this post.

J9438

Reply | Quote

Paul T wrote:

The best way to fix that is to

Thank you so much for the way to do a complete fix.

Since my timer is running and syncing fine, I think for now I should hold off such major surgery. It was scary enough doing the registry change, but when I get some free time (since apparently it takes a while to do) I will try it on my other back up PC just for practice.

Whew, I sure have learned a lot from this thread – auth apps, timers, registry settings, command prompt, over the top installs. Woody people are great teachers!!

1 user thanked author for this post.

Steve

Reply | Quote

For all the people like me that need a very detailed check list on how to use an Authenticator App, I would like to summarize what I learned from all the STAFF and USERS of Woody above and in other threads, into such a list. I hope future users will stumble on this list if they have the same need.

This is based on iPhone and Google Authenticator. (Note some Woody threads suggest all the Authenticators use the same standard and are interchangeable as well as that the Web sites using authentication are oblivious to what phone numbers are used.)

1. Sign in to your phone if not already there.
2. Click Apple Store
3. Search “Authenticator” on the Search Bar (Warning, on mine I got a list, and the top one was some brand X and under that was Google Authenticator. Make sure you install the one you want.)
4. Click “Install” the Authenticator App
5. Now go to the Web site and scroll down to their Security Settings or Sign In Settings (Note it might be less confusing to have the Web site on your PC instead of cell phone since you will be using your cell phone simultaneously with the Web site displays.)
6. There should be an option for Multi Factor Authentication and possibly a specific Authenticator App. (As mentioned above it may be possible to use another app but best to use the one they suggest.)
7. Click the “Set Up” or similar selection.
8. Here is where it gets tricky. Your Web will now display on your screen a QR picture and/or a very long text code. This is the “key” used by both the web site and your phone app to generate 6 digit codes each time you sign into the web site. This key along with the computer time at both web site and cell phone app is put into an algorithm that calculates the 6 digit code.

Okay, now screen print the QR and copy/paste the QR and text code to a SAFE (like in a bank safe deposit box) file for future recovery if needed. If you don’t see the actual text there might be a link on the web site to “Copy Code”, which can then be pasted. I think it might also be possible to use this copy to set up the authenticator on a back up phone, but I did not try that yet.

9. Okay, now you still have the QR squiggly on your web site screen. Right? If not go back to step 5 and REPEAT ALL the steps EXACTLY.
10. Open the Authenticator App on your phone and open your phone camera.
11. With the Authenticator App OPEN (very important) point the camera at the QR squiggly on the web site screen and click it. The Authenticator App <u>automatically</u> will grab that picture and store the “key”. It will then generate a 6 digit code and display it on your cell phone screen.
12. You have 30 seconds to type that code from the cell app screen onto the web site screen before a new code appears.
13. If accepted by the web site (the web calculates the code on their end and compares it to the code generated in your cell phone and typed by you onto the web site line) you are signed in. (This is what makes this form of MFA secure in that the code is not transmitted across the internet but instead is calculated at each end.)
14. Note if you are adding a second account in the future, when you open the Authenticator App, INSTEAD of you immediately taking the picture, watch that the App will ask if you want to add a QR or a TEXT. I did not notice this and when it started generating 6 digit codes I was entering codes for my 1^st account and after 3 tries locked the second account. I suppose after you add more sites there is a list to select from for the 6 digit code.

15. So you are SET UP. Next time you sign into your web site it will ask for a 6 digit code AFTER you have entered your userid/password as normal. Have the app open on your cell phone and you will see a new code every 30 seconds. Type code quickly on the web site and you are in if the code matches.

16. On my app the 6 digit code changed color just before a new code was generated. I have not tried but I think if you <u>wait</u> until the code changes and immediately use that code you may have more time and accuracy in typing the code. (Remember both the web site and your cell phone app start calculating a 6 digit code at a specific PC/cell/international time and 30 seconds later begin calculating a new code. Both have to match to authenticate you. Make sure your PC, tablet, cell phone, or other device all show the same internet time.)
17. Note also that one of the Woody users above noted that some password managers will automate some of these steps. I did not use such so read back up there if interested.

Okay, hope this was helpful.

 

1 user thanked author for this post.

Steve

Reply | Quote

For all the people like me that need a very detailed check list on how to use an Authenticator App, I would like to summarize what I learned from all the STAFF and USERS of Woody above and in other threads, into such a list. I hope future users will stumble on this list if they have the same need.

Thanks for taking the time to put together this checklist

1 user thanked author for this post.

J9438

Reply | Quote