Improvements #14192
closedMake TOTP also accept codes one period in the future
100%
Description
When TOTP creates a token, it will do so based on the current timestamp.
To avoid each millisecond from generating a new unique token, the implementation segments the timestamps in blocks of X seconds (by default 30 seconds).
When validating a provided token, the TOTP implementation allows for the current token, and one single past token to pass the check. This is to ensure that when a user takes a while to copy the token from the generator to the input, they have a small grace-period.
Additionally, most generators will also display the validity left for the token. Users are then not forced to wait the last couple of seconds (knowing it would fail otherwise).
We now should also accept the token that is one segment in the future. This, to avoid any issues with devices whose clock isn't correctly synced. A discrepancy of milliseconds isn't likely to cause issues, but with a couple of seconds difference, there is a period where the user expects a token to be valid, in which it would not be.
Updated by Matthias Van Ceulebroeck 3 months ago
- Status changed from InProgress to Review
- Assignee deleted (
Matthias Van Ceulebroeck)
Updated by Matthias Van Ceulebroeck 3 months ago
- Status changed from Review to Implemented @Emweb
- Assignee set to Matthias Van Ceulebroeck
- % Done changed from 0 to 100
Updated by Romain Mardulyn 26 days ago
- Status changed from Implemented @Emweb to Closed