Time drift with OTP

  • How sensitive is Fusionauth to “Server Time Drift” with regard to 2FA verification for /api/two-factor/login?

    Example: I’ve got some dev instances on 1.19.7.

    I’ve added/enabled 2FA for a user. But no matter what I do, the server responds with:

    242 (with twoFactorId)
    421 (with correct code + twoFactorId params)

    The only item of note is that the server / VM is about 1 minute 10ish seconds ahead of my personal machine.

  • The code is considered valid for n -1, n and n + 1 time steps. We use a 30s time step, so I think this would max out at 59s for a skew tolerance. In your case, if you have up to 70s of skew, this would plausibly break TOTP 2FA.

Looks like your connection to FusionAuth Forum was lost, please wait while we try to reconnect.