Too many OTP's got verified

yeojz / otplib

:key: One Time Password (OTP) / 2FA for Node.js and Browser - Supports HOTP, TOTP and Google Authenticator

https://otplib.yeojz.dev

MIT License

1.98k stars 132 forks source link

Too many OTP's got verified #555

Open ronvince opened 3 years ago

ronvince commented 3 years ago

While using otplib, I have noticed that for a secret key there are so many different OTP's that are valid at given point of time

Steps to reproduce the behavior:

config options step=1 window=300 digits=4
This will generate 1 otp for a secret key per second, for 300s window size there will be at most 300 otps valid.
But when I tried 550-600 are passed as valid
By increasing step to 30, new otp's are created every 30s, still 550-600 otp's are valid
These are for 4 digit otp's

suruaku commented 3 years ago

Isn't that correct? From documentation window is "Tokens in the previous and future x-windows that should be considered valid. " So if you have window with value 300 it should accept 300 previous otp's.

ankursachdeva11 commented 2 years ago

I have tried window: 1 with step: 30. when I enter the code, it fails when a new code show in the app. It should accept one past code. Am I missing something?