| Sounds like you need to contact the vendor that supplies your 2FA since it is misconfigured/incorrectly implemented. I've seen this before with people who try to roll their own Google Authenticator/TOTP implementation. What they do is they read the standard, note the 30 second default step size, and entirely ignore the window. If you look at Google Authenticator while the steps are 30 seconds, the window is +1 or -1, so you can enter three different valid codes at any one time (for three different steps: 0, +30, -30). But don't take my word for it, Google has Authenicator source code available here: https://github.com/google/google-authenticator/blob/master/l... Look at "window" or "window_size" options. To quote Google's own comment: > By default, tokens are good for 30 seconds and in order to compensate for possible time-skew between the client and the server, we allow an extra token before and after the current time. If you experience problems with poor time synchronization, you can increase the window from its default size of 1:30min to about 4min. Do you want to do so So as I said, your 2FA is incorrectly done. |