|
|
|
|
|
|
by microtonal
3441 days ago
|
|
|
The RFC recommends a time step of 30 seconds + permitting at most one previous time step for handling out of sync clocks and slow/late entry: The validation system should compare OTPs not only with the receiving timestamp but also the past timestamps that are within the transmission delay. A larger acceptable delay window would expose a larger window for attacks. We RECOMMEND that at most one time step is allowed as the network delay. [...] We RECOMMEND a default time-step size of 30 seconds. This default value of 30 seconds is selected as a balance between security and usability. Since the client's clock could be in the behind or ahead of the server's clock, I have to correct myself and the window would be 90 seconds. One could be a bit strict and e.g. the previous time step only until 1/2-way the current time step, which would bring the window make to 60 seconds. At any rate, all these timeframes are far to large to avoid real-time phishing attacks. |
|
|