1

I am trying to implement a time based OTP in my project where code generation and code validation will be done by same server. My whole requirement is to generate a OTP which should be valid for some time (configurable) and then send it to user email, with an option to resend the password to user's email.

I can understand once we generate a code for a particular secret key with a timestep, for that particular timestep it will generate same code for same key. but the problem in using this approach is Let's say timestep is 5 mins, a code is generated and valid for 5 mins. Now after 6 min, if I again send a code, then new code will only be valid for next 4 mins instead of 5 mins, since it was generated once previous code was expired.

ideally it should be valid for 5 mins from the time request is raised by user for the OTP.

Steve Vinoski
  • 19,847
  • 3
  • 31
  • 46
Mr Lazy
  • 11
  • 1
  • Why is the expiration based on *last expiry* instead of *new request time*? – CoolBots Sep 17 '20 at 05:42
  • Also, is there any sample code you can share? There's not really enough here to help you. – CoolBots Sep 17 '20 at 05:44
  • @CoolBots: thats how this library works, based on last expiry, not last request – Mr Lazy Sep 17 '20 at 07:10
  • I am referring this code for my code generation, but instead of Google Auth, using my same server to generate verify the code. var totp = new Totp(Encoding.ASCII.GetBytes("secretKey")); var code = totp.ComputeTotp(); Console.WriteLine(code); Verify : var totp = new Totp(Encoding.ASCII.GetBytes("secretKey")); bool valid = totp.VerifyTotp(inputCode, out long timeStepMatched, VerificationWindow.RfcSpecifiedNetworkDelay); } – Mr Lazy Sep 17 '20 at 07:16
  • there is also a recommendation to match the TOTP with previous and next time frame's TOTP – Kristian Sep 17 '20 at 08:12
  • 1
    @CoolBots: reference code https://gigi.nullneuron.net/gigilabs/using-time-based-one-time-passwords-for-two-factor-authentication/ – Mr Lazy Sep 17 '20 at 08:14
  • @Kristian: Are you referring to Verification window ? I think with that my previous 2 codes will be valid at once – Mr Lazy Sep 17 '20 at 08:16
  • it's okay because it also accounts for out of sync device time – Kristian Sep 17 '20 at 08:20
  • @Kristian: Verification window only takes into account single or double steps i.e. couple of seconds at max, not more than that. – Mr Lazy Sep 17 '20 at 11:52

0 Answers0