When trying to set up two factor authentication (2FA) in WHM >> Security Center >> Two-Factor Authentication, after enabling the policy, going to the Manage My Account tab, clicking the Set Up Two-Factor Authentication button, and scanning the QR code with the authenticator app, I then tired to enter the code from my phone, but got the error “The security code is invalid”.
Checking in the /usr/local/cpanel/logs/error_log log I found:
[2021-09-16 09:10:36 -0400] info [xml-api] The security code is invalid. [twofactorauth_set_tfa_config] version [1].
I see the server time was about 25 minutes off in my case. I synchronized the time through WHM >> Server Configuration >> Server Time >> Sync Time with Time Server button, and then tried to verify with the authenticator again and it worked this time.
The time on the server needs to be correct to a few seconds, otherwise the code the server is expecting won’t match what the app is generating and vice versa.