Does the tokens in the Ente Auth work even after the 30 seconds time frame?

I found the tokens are valid even after the 30 seconds time frame. I just logged into an account with the token after 30 seconds. I remembered the token and used it after the 30 seconds timeout and it worked.

But it shouldn’t work, right? Or am i missing something??

due to the time part of time-based one time password, codes are valid for a bit longer than the exact 30 second timer because there’s no guarantee that a phone/computer/whatever and a random server who knows where are going to be in perfect sync

edit: and as Jonah noted, it varies across websites, because it’s something set on the server side

4 Likes

This depends on the website you’re using the code on.

4 Likes

So based on time, the time frame might be a bit out of sync between the server of the website and my phone?

But doesn’t the website sync according to the time based on my phone/region?

No, the time part is unix time. So it’s global/universal

Some authenticators allow values that should have been generated before or after the current time in order to account for slight clock skews, network latency and user delays.

Can’t really explain more simply than Time-based one-time password - Wikipedia does lol

5 Likes

So it’s just the way it is then? There is nothing we could do to have a proper sync, right?

If you’re so inclined, I would recommend looking at the way NTP works, particularly at the stratum levels for different NTP servers. It may be interesting to you if you’re going down this route :stuck_out_tongue:

Some other time, don’t wanna dive too deep rn😁

There’s nothing you can do if the website chooses to allow multiple valid codes. It is common for websites to accept the current 30 second code, the next 30 second code, and the previous 30 second code. You can be perfectly in sync with the server and the website will still accept an older code if it wants to.

If you waited like a minute+ and then tried the old code, it shouldn’t work anymore.

4 Likes

@pinkandwhite @jonah
Thanks to you guys. Thanks for helping me understand this. :hugs:

1 Like

Just thought I would add that this seems to be the case on many, if not most, websites. You can even try it on this very forum! Using an authenticator that displays the next code (enter or Aegis), you will find that it is accepted even before the first code has expired. It could be useful to you if you need 60 seconds rather than 30 to enter the 2FA code. Websites tend to be better at prohibiting expired codes, while being less strict with prohibiting future codes before they are technically valid.

1 Like