search

JiaJiaJiang / nodejs-GoogleAuthenticator

HOTP for nodejs
MIT License
6 stars 3 forks source link

Old 2FA code can still be used #2

Open fabiokounang opened 2 years ago

fabiokounang commented 2 years ago

Hello, i need help, my scenario is like this

  1. code 1 : 123456
  2. code 2 : 234567
  3. code 3 : 345678

And keep in mind a code expired is 30s

So here it is

  1. when i let the code 1 expired
  2. the code 2 showed up
  3. but when i try to input code 1, it can still be used
  4. it only become unusable when code 3 appear
  5. and it goes on

so the point is i just want the current active code to be verified as true. Thank you, i really need your help !

idma88 commented 2 years ago

In the verifyCode(secret,code,discrepancy,currentTimeSlice) method, set discrepancy = 0

fabiokounang commented 2 years ago

In the verifyCode(secret,code,discrepancy,currentTimeSlice) method, set discrepancy = 0

i already set discrepancy to 0, but when i tried the old 2fa, it can still be used until the code 2 time left is 10s. Should i set the currentTimeSlice too ? although i dont really understand what that is. Thank you for your response ! :D

idma88 commented 2 years ago

currentTimeSlice is the number of 30 second time slices that have elapsed since the start of unixtime. If you do not specify it in the parameters, then it will be calculated according to the current server time.

As far as I know, such an interval can be chosen even smaller, but this library does not provide such an opportunity.

Because of latency, both network and human, and unsynchronised clocks, the one-time password must validate over a range of times between client and server

JiaJiaJiang commented 2 years ago

In the verifyCode(secret,code,discrepancy,currentTimeSlice) method, set discrepancy = 0

i already set discrepancy to 0, but when i tried the old 2fa, it can still be used until the code 2 time left is 10s. Should i set the currentTimeSlice too ? although i dont really understand what that is. Thank you for your response ! :D

This may just caused by time discrepancy between your server and client, you can check it by testing if there are two codes valid at the same time when you set discrepancy to 0. There should be only one code available in this situation. When you set discrepancy to 1, there will be 3 codes valid for a timeslice, which in range offset from -discrepancy to +discrepancy by currentTimeSlice.