The code is considered valid for n -1, n and n + 1 time steps. We use a 30s time step, so I think this would max out at 59s for a skew tolerance. In your case, if you have up to 70s of skew, this would plausibly break TOTP 2FA.

Not with a FusionAuth policy, but you could enforce it just by checking the user during login, as twoFactorEnabled is an attribute of the user.

There's also this github issue which you may want to vote up: https://github.com/FusionAuth/fusionauth-issues/issues/763

@mangeshp16 The original question is over two years old. Since version 1.42, you can enforce MFA at the tenant level (or the application level if you have the enterprise plan). This means that any user who logs in is required to have MFA. If they do not, they are redirected to a page where they can set it up.

There are other ways to accomplish this. You could build your own MFA page which would call the APIs directly. When a user logs in, you can check to see if they have any twoFactor methods available and if they don't, you can send them to this page.

@denisskaletti Thanks for feedback. I removed your link because it seemed like spam. We welcome useful links that are about using FusionAuth, please check out the blog category and post there.