Allow previous 2FA code to work along with current 30sec one

frin

2FA code on login right now only accepts current valid 30 second window code. Because of the nature of 30 sec TOTP, there is a high chance the code will change while the user is typing/copying the code and submitting the form.

I recommend that you allow the previous 30 second window code to work as well. It is a small security compromise as it would increase it to a 1 minute window, but it would help tremendously with user experience. The risk however is not very big.

Last few days I was experimenting with kagi and 2FA codes didn't work on 2 occasions, both were when the code had changed just before I submitted the form.

User will be able to enter the code without worrying about the countdown, as the previous code will still work for the next 30 seconds after it rotated.

I am not sure about other browsers, but I have a feeling Google themselves allow the previous code as I never had it happen that the code I entered/copied didn't work, and some TOTP implementations even allow the previous AND the next code to work (in case user's clock is slightly out of sync).

neysofu

+1, Note that this is also recommended by RFC 6238 (emphasis mine):

A validation system SHOULD typically set
a policy for an acceptable OTP transmission delay window for
validation. The validation system should compare OTPs not only with
the receiving timestamp but also the past timestamps that are within
the transmission delay. A larger acceptable delay window would
expose a larger window for attacks. We RECOMMEND that at most one
time step is allowed as the network delay.