My question is, Once the 6-digit code is generated by Google or Microsoft Authentator it is supposed to work for 30 sec and must be expired after 30 sec but even after a new 6-digit code is generated the earlier code works until 60 sec.
Can anyone help fix this issue?
Regards
Nikhil vijay
Hi Nikhil,
adding to Hannos comment.
The Identity Provider configuration you are verifying against counts. Most Identity Providers have a default value of 30 seconds for the period and a look ahead window of 1. This would mean the current token is accepted but also the first previous token. A look ahead window of 2 would mean that it accepts three tokens. The current and 2 previous. Both settings can - at least in most identity providers - be changed.
Stefan
Hi Nikhil
I believe you'll find that it is in fact the standard operation of many of the OTP code generators and the reason is explained here in Wikipedia as "Some authenticators allow values that should have been generated before or after the current time in order to account for slight clock skews, network latency and user delays."
Hope this helps.
Hanno