[crazygringo]

I definitely had no idea! Thanks for that knowledge.

I mean there's never been any UX indication at all that that would be the case. I like your idea of showing the previous code -- that would make it very clear.

Good to know.

[sratner]

To be fair, the reason for this is to account for clock desync between systems, so it wouldn't be correct to say it is still valid for 30 seconds where it might not be in reality. Knowing what this actually means requires understanding the implementation of TOTP, so that you are not surprised in situations where it does fail. The existing authenticator app UX is likely correct for the average user.