I am testing two factor authentication in my ASP.net core application. But I have an issue in expiry time. I notice that the laptop time (server) and mobile time (Client) has 15second difference. I mean mobile time is 15sec ahead.
My problem is, code is valid after it disappear from the authentication app (Microsoft/Google Authenticator). I have used the Time Tolerance (30 sec,45 sec.. ) but it does not work as expected. for example if I use time toletance to 30 sec then the code will expire after 45sec it disappear from the authenticator app.
.Net Core version : 3.1 Nuget package : GoogleAuthenticator 3.1.0 by Bradon Potter
Setup Code
TwoFactorAuthenticator tfa = new TwoFactorAuthenticator();
SetupCode setupInfo = tfa.GenerateSetupCode(issuer, userEmail, accountSecretKey, false, 3);
Verification Code
TwoFactorAuthenticator tfa = new TwoFactorAuthenticator();
// verify
bool result = tfa.ValidateTwoFactorPIN(accountSecretKey, code, TimeSpan.FromSeconds(30));
Expectation: - Code validity should be when it display in Authenticator app till it disappear.
How do I achieve this?
There was a bug in version 3.1.0 and before where 30 seconds was treated the same a 0. This has now been fixed in 3.1.1-beta1. Workaround for 3.1.0 and before is to specify at least 31 seconds for the window.
https://github.com/BrandonPotter/GoogleAuthenticator/issues/160#issuecomment-1568747474