I found the tokens are valid even after the 30 seconds time frame. I just logged into an account with the token after 30 seconds. I remembered the token and used it after the 30 seconds timeout and it worked.
But it shouldn’t work, right? Or am i missing something??
due to the time part of time-based one time password, codes are valid for a bit longer than the exact 30 second timer because there’s no guarantee that a phone/computer/whatever and a random server who knows where are going to be in perfect sync
edit: and as Jonah noted, it varies across websites, because it’s something set on the server side
Some authenticators allow values that should have been generated before or after the current time in order to account for slight clock skews, network latency and user delays.
If you’re so inclined, I would recommend looking at the way NTP works, particularly at the stratum levels for different NTP servers. It may be interesting to you if you’re going down this route
There’s nothing you can do if the website chooses to allow multiple valid codes. It is common for websites to accept the current 30 second code, the next 30 second code, and the previous 30 second code. You can be perfectly in sync with the server and the website will still accept an older code if it wants to.
If you waited like a minute+ and then tried the old code, it shouldn’t work anymore.
Just thought I would add that this seems to be the case on many, if not most, websites. You can even try it on this very forum! Using an authenticator that displays the next code (enter or Aegis), you will find that it is accepted even before the first code has expired. It could be useful to you if you need 60 seconds rather than 30 to enter the 2FA code. Websites tend to be better at prohibiting expired codes, while being less strict with prohibiting future codes before they are technically valid.