Describe the bug

All admin users on our site enabled 2FA, which I confirmed by checking the users page.

At some point recently (not sure when) it started showing as disabled for all users, and it is impossible to re-enable the authenticator app from the user profile page. Whether using the QR code or the key it always gives the error "Invalid Two Factor Authentication code."

I have tried resetting, deleting it from my authenticator app and setting it up again from scratch, deleted and reinstalled the plugin, but all to no avail.

In the dev tools network inspector I can see the POST request to /wp-json/two-factor/1.0/totp always returns a status of 400.

The REST API is working as I can visit /wp-json on the front-end.

My local site runs the same plugins and works perfectly.

Any advice on what might be causing this?

Thanks
Simon

Steps to Reproduce

Screenshots, screen recording, code snippet

No response

Environment information

WordPress 6.8.2
Custom theme

Please confirm that you have searched existing issues in this repository.

Yes

Please confirm that you have tested with all plugins deactivated except Two-Factor.

No