search

pquerna / otp

TOTP library for Go
Apache License 2.0
2.32k stars 224 forks source link

Hello,What does the Skew parameter mean? #62

Closed nfhh closed 1 year ago

nfhh commented 3 years ago

Hello ,What does the Skew parameter mean?

kumo-rn5s commented 3 years ago

When Skew is 1 (actually, the default value for this library is 1), authentication will check the valid time range of the OTP, both before and after the current period, which means that the OTP password is still valid after the present period (e.g. period is 30 seconds, and the valid time range is [Before(30s) ~ Present(30s) ~ After(30s)]).

I recommend using ValidateCustom() which allows you to manually set the Skew to 0.

https://github.com/pquerna/otp/blob/master/totp/totp.go#L102-L109

counters = append(counters, uint64(counter))
for i := 1; i <= int(opts.Skew); i++ {
    counters = append(counters, uint64(counter+int64(i)))
    counters = append(counters, uint64(counter-int64(i)))
}