Two-factor authentication codes (one time passcodes) expire too quickly
beeps
started a topic
24 days ago
Currently, it appears that when logging in to Cohost, the site will only accept the one-time passcode (OTP) that is valid at the point that the form is submitted.
Whilst this seems sensible in theory, it has a few practical issues around the top of the minute when the OTP is renewed:
Unlucky timing on the user's part could result in them only finishing typing the OTP when it is close to, or has already, expired.
A slow network connection can cause the OTP to have expired by the time the server attempts to validate it.
Password management software may automatically fill the OTP field on the user's behalf—useful for accessibility purposes, as a user may not be able to type quickly or easily. However, this means that the app generating the OTP is 'invisible' to the user, so having the OTP expire during this time requires manually locating the new OTP instead of having it pre-filled.
I've personally encountered this frustration about a dozen times now, which might not be a lot, but it feels like that number could've been zero.
Other two-factor authentication methods that use OTPs, in my experience, tend to avoid these issues by accepting both the latest and the most recently expired OTP for the purposes of authenticating a user. Would Cohost consider doing the same?
beeps
Currently, it appears that when logging in to Cohost, the site will only accept the one-time passcode (OTP) that is valid at the point that the form is submitted.
Whilst this seems sensible in theory, it has a few practical issues around the top of the minute when the OTP is renewed: