FusionAuth
    • Home
    • Categories
    • Recent
    • Popular
    • Pricing
    • Contact us
    • Docs
    • Login

    Time drift with OTP

    Scheduled Pinned Locked Moved
    Q&A
    two factor time skew
    1
    2
    1.5k
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • danD
      dan
      last edited by

      How sensitive is Fusionauth to “Server Time Drift” with regard to 2FA verification for /api/two-factor/login?

      Example: I’ve got some dev instances on 1.19.7.

      I’ve added/enabled 2FA for a user. But no matter what I do, the server responds with:

      242 (with twoFactorId)
      421 (with correct code + twoFactorId params)

      The only item of note is that the server / VM is about 1 minute 10ish seconds ahead of my personal machine.

      --
      FusionAuth - Auth for devs, built by devs.
      https://fusionauth.io

      1 Reply Last reply Reply Quote 0
      • danD
        dan
        last edited by

        The code is considered valid for n -1, n and n + 1 time steps. We use a 30s time step, so I think this would max out at 59s for a skew tolerance. In your case, if you have up to 70s of skew, this would plausibly break TOTP 2FA.

        --
        FusionAuth - Auth for devs, built by devs.
        https://fusionauth.io

        1 Reply Last reply Reply Quote 0
        • First post
          Last post