Request to make TOTP period configurable

[ehblh]

Preflight checklist

• [X] I could not find a solution in the existing issues, docs, nor discussions.
• [X] I agree to follow this project's Code of Conduct.
• [X] I have read and am following this repository's Contribution Guidelines.
• [ ] I have joined the Ory Community Slack.
• [ ] I am signed up to the Ory Security Patch Newsletter.

Ory Network Project

No response

Describe your problem

We have received user feedback indicating that some of our customers find it challenging to enter the TOTP code within the current 30-second window. This can lead to authentication failures and user frustration. We want to provide our users with a more comfortable authentication experience by extending the TOTP validity period to 60 seconds.

Describe your ideal solution

We propose adding a configuration option in Ory Kratos that allows administrators to specify the TOTP validity period. Ideally, this configuration parameter should be included in the Ory Kratos configuration file (e.g., kratos.yml) and accept values in seconds. This way, organizations can adapt the TOTP code expiration time to their specific security and usability requirements.

Workarounds or alternatives

Currently there is no workarounds because 30-second valid period is hard-coded in the code.

Version

v1.0.0

Additional Context

• Providing the ability to configure the TOTP validity period is crucial for meeting the diverse security and usability requirements of our users.
• By implementing this feature, Ory Kratos can cater to a wider range of use cases and ensure a more user-friendly and adaptable authentication process.
• Clear and detailed documentation should accompany this feature to guide administrators on how to configure the TOTP validity period according to their needs while understanding the potential security implications.

[alnr]

Is this really hardcoded to 30 sec? IMO we can just extend this to 5 min. @zepatrik ?

[aeneasr]

30 seconds is the default specified in the TOTP RFC (as well as industry standard) and it should not be changed without good reason.

[alnr]

Are we talking about the individual code validity period? Or the total time the user has to complete the flow?

[Robert-Bosse]

I think it is best practice while working with TOTP to not only accept the latest 6 digit token for validation but also the one that was valid before. So even if the code changes while the user is checking he can still use the old and the new one. @ehblh Would this help your users?

[github-actions[bot]]

Hello contributors!

I am marking this issue as stale as it has not received any engagement from the community or maintainers for a year. That does not imply that the issue has no merit! If you feel strongly about this issue

• open a PR referencing and resolving the issue;
• leave a comment on it and discuss ideas on how you could contribute towards resolving it;
• leave a comment and describe in detail why this issue is critical for your use case;
• open a new issue with updated details and a plan for resolving the issue.

Throughout its lifetime, Ory has received over 10.000 issues and PRs. To sustain that growth, we need to prioritize and focus on issues that are important to the community. A good indication of importance, and thus priority, is activity on a topic.

Unfortunately, burnout has become a topic of concern amongst open-source projects.

It can lead to severe personal and health issues as well as opening catastrophic attack vectors.

The motivation for this automation is to help prioritize issues in the backlog and not ignore, reject, or belittle anyone.

If this issue was marked as stale erroneously you can exempt it by adding the backlog label, assigning someone, or setting a milestone for it.

Thank you for your understanding and to anyone who participated in the conversation! And as written above, please do participate in the conversation if this topic is important to you!

Thank you 🙏✌️