[radranic]

You also need more than just a yes/no just for the authentication.

You should record the last successful count/time window to prevent code re-use. In the rare case that you expect clients to use devices to generate the codes that may be offline for a long time (or never connected dongles) you also need to compensate for personalized time drift for each device.

[unethical_ban]

Time drift is the clients responsibility. You’re letting perfect be the enemy of good - very few people use fully offline devices for years at a time, and if you’re not a bank, even something like a 2-5 minute diff is tolerable.