Start a new topic

TOTP occasionally rejected as invalid - maybe window could be widened?

Hi! Thanks for implementing support for two-factor auth, I can sleep well knowing that my chosts are secure. I've noticed a super minor snag, though, which is that my TOTP code is occasionally rejected on the first try and I have to reenter it. Totally speculating, but any chance that this is because they rotate every 30 seconds and y'all are comparing the user-provided code to the single "current" code server-side? If so, could you consider checking against the "previous" code, and allowing the login if either matches? That way it'll still work if I happen to generate a code 29 seconds into the 30-second window and take a few more seconds to submit it.


(there's some precedent and further discussion at https://datatracker.ietf.org/doc/html/rfc6238#section-5.2. like I said, minor issue, no stress if you've got higher priority things to look at)


I've been getting bit by the same bug since totp was rolled out and was going to link the same rfc. Typically folks will allow the time step ahead and behind to be allowed (but still rejecting any "back in time" values) just in case the authenticator and the server are out of sync. This seems to affect me in about 80% of logins and it's frustrating to have to open a password manager every time I come here. Especially when I clear cookies for closed tabs for privacy reasons.

Thanks for the heads up on this.

While I’m here, another little quality-of-life thing that’d be nice to have would be if Safari on iOS showed a numeric keypad instead of the normal keyboard when focusing the TOTP form field. AIUI you can do that by adding an “inputmode“ attribute to the field: https://developer.mozilla.org/en-US/docs/Web/HTML/Global_attributes/inputmode
Also, a shower thought, if you’re short on feature ideas for Cohost Plus! it would be funny (and I think in the spirit of the product) to let people choose novelty TOTP time step sizes. TOTP that refreshes every 420 seconds, etc. Probably half of the authenticator apps wouldn’t handle it correctly and you’d get a ton of support requests it’d be great
Login or Signup to post a comment