Time drift with OTP

  • How sensitive is Fusionauth to “Server Time Drift” with regard to 2FA verification for /api/two-factor/login?

    Example: I’ve got some dev instances on 1.19.7.

    I’ve added/enabled 2FA for a user. But no matter what I do, the server responds with:

    242 (with twoFactorId)
    421 (with correct code + twoFactorId params)

    The only item of note is that the server / VM is about 1 minute 10ish seconds ahead of my personal machine.

  • The code is considered valid for n -1, n and n + 1 time steps. We use a 30s time step, so I think this would max out at 59s for a skew tolerance. In your case, if you have up to 70s of skew, this would plausibly break TOTP 2FA.