Live account login fails when IB Key (mobile 2FA) is enabled

[nbopardi]

Summary

Accounts with IB Key (mobile 2FA) enabled cannot connect. After SRP authentication completes, the IB server enters a second-factor challenge loop sending type-530 keepalive messages while waiting for IB Key approval on the user's mobile device (notification is never received). ibx has no mechanism to participate in this challenge, so the post-auth phase times out with "Never received data start after auth" (gateway.rs:592).

Current State

Aspect	Status
SRP auth (username + password)	Works — do_srp completes, session token obtained
Soft token challenge (farm-level 35=S)	Works — do_soft_token responds to farm auth challenges (gateway.rs:188)
IB Key 2FA (login-level)	Not supported — server sends NS keepalives (type 530), ibx loops until timeout
Paper accounts (no 2FA)	Works — full connection including all farms

What Happens

1. SRP authentication succeeds, NS_CONNECT_RESPONSE (type 523) is received
2. Port type change is sent, server acknowledges
3. Instead of NS_FIX_START (type 525), server sends repeated type-530 messages — these are keepalives while IB waits for the user to approve the login on their mobile IB Key app (mobile notification never received)
4. The post-auth loop in gateway.rs:540–594 doesn't recognize these as a 2FA challenge and logs them as "Post-auth msg type=530"
5. After the loop exhausts its iterations, it returns "Never received data start after auth"

What Was Tried

• Adding FLAG_SOFT_TOKEN to connection flags — server rejects; SOFT_TOKEN (xyz.rs:14) is for farm-level XYZ auth challenges, not the initial login 2FA gate
• Proactively sending a SOFT_TOKEN init — server rejects this as well

What's Needed

IB Key 2FA is a server-side push notification flow. The server waits for the user to tap "approve" in the IB Key mobile app. ibx needs to:

1. Detect the 2FA-pending state (type-530 keepalives after NS_CONNECT_RESPONSE but before NS_FIX_START)
2. Active the push notification to the user
3. Wait with periodic keepalive responses until the user approves (or a configurable timeout)
4. Resume normal post-auth flow once NS_FIX_START arrives

[deepentropy]

Investigation findings

Decompiled the gateway (v10.40) NsMessageType enum to identify the missing message types:

Type	Name	Purpose
530	NS_TEST_REQUEST	Server keepalive probe during 2FA wait
531	NS_HEART_BEAT	Client response to test request

The gateway responds to 530 with MISC38;531;{testReqId};. Both constants are missing from ibx.

The gateway has a Second_Factor_Auth orchestrator that supports three 2FA delivery methods: push notification (IB Key), QR code, and SMS. However, the protocol-level mechanism that activates the push notification to the user's mobile device remains unknown — it's unclear whether it's triggered by a connection flag, a specific message after SRP, or is automatic based on account configuration.

A capture request has been filed at deepentropy/ib-agent#76 to trace the full post-SRP message exchange on a live account with IB Key enabled.

Current status

Live account login is not possible due to the missing 2FA feature. Paper accounts (no 2FA) continue to work. This will remain blocked until the ib-agent capture provides the protocol details needed to implement the 2FA handshake.

[nbopardi]

Following up here, is there any way to test ibx on live accounts, or is it paper only at the moment?

I would like to start testing ibx on a live account and would appreciate prioritizing the 2FA feature.

[deepentropy]

Thanks for the willingness to test on a live account — really appreciate it!

However, there are still too many critical paths that need validation on paper trading first before we can safely support live accounts. A bug in position sizing or order routing at this stage could be devastating on a live account. Paper trading gives us the safety net to catch these issues without real financial risk.

The project has been open to the community for about a week now, and as soon as we have more testers helping validate the paper trading paths, we'll prioritize implementing the 2FA handshake to unlock live account connectivity.

In the meantime, paper account testing is very much welcome and would directly help us get to live account support faster.

[Huss3n]

Running into this exact issue. I'm new to algo trading and IB, building a futures scalping bot (MES/ES) on a paper account.

My setup: IBX built from source on WSL2, connecting to IB paper account. 2FA is enabled by default and IB doesn't seem to let me disable it for my account type.

Error I get:

Connection error: Connection failed: SOFT_TOKEN: expected state 2, got 5

This happens immediately after SRP auth — the server returns state 5 instead of state 2 in the soft token challenge. No push notification is sent to my phone.

For now I'm using TWS + ib_insync as a workaround, but TWS has an auto-logoff timer that kills the connection overnight which is a pain for running bots 24/7. Would love to use IBX directly since it doesn't need TWS running.

Is there a timeline for 2FA support, or any workaround besides disabling 2FA (which IB doesn't allow for some account types)?