BUG: TOTP validation fails on Chrome/Edge

[faxioman]

Expected Behavior

TOTP token validation should work consistently across all browsers after scanning the QR code and entering the 6-digit token from the authenticator app.

Current Behavior

• Safari/Firefox: Token validation always succeeds ✅
• Chrome/Edge: Token validation always fails with "Entered token is not valid" ❌

The TOTP comparison in forms.py never evaluates to True on non-Safari browsers:

if totp(key, self.step, t0, self.digits, self.drift + offset) == token:
    # This is never True on Chrome/Firefox/Edge

Possible Solution

Since it's browser-specific, it might be related to:

• How different browsers handle form data encoding
• Session/cookie handling differences
• other ... ?

Steps to Reproduce (for bugs)

1. Setup django-two-factor-auth following the standard documentation
2. Login and start 2FA setup process
3. Scan QR code with any authenticator app
4. Enter the 6-digit token
5. Submit form
6. Result: Works on Safari and Firefox, fails on Chrome and Edge

Context

I'm implementing 2FA for a Django application. Everything works perfectly on Safari but fails consistently on all other browsers. This is blocking deployment as users can't enable 2FA unless they use Safari/Firefox.

Your Environment

• Browser and version: Safari/Firefox (works), Chrome/Edge latest versions (fail)
• Python version: 3.12.11
• Django version: 4.0.5
• django-otp version: (included with django-two-factor-auth)
• django-two-factor-auth version: 1.16.0

[moggers87]

I can reproduce the error in Firefox with version 1.17.0 but: the bug I've found should affect Safari too as it's a bug in the view, noting to do with cookies or request data.

Ah no, I misread your bug report. I was in fact able to complete setup using Firefox just fine.

[faxioman]

Yes, it's true, it works on Firefox. So, it works on Firefox but I confirm that it doesn't work on either Chrome or Edge. I'll try to investigate further to understand if it's an encoding issue.

[faxioman]

Unfortunately, I haven't been able to figure out where the problem lies. I also tried making several modifications to get_otpauth_url without success.
What I really can't explain is why it always works on Safari/Firefox but practically never on Edge/Chrome (although it has worked on rare occasions in a seemingly random way).
I opted to implement a simple Django app with the features I need using pyotp.
If the problem is not replicated in other situations, I'd say we can close the issue.