optlib token inconsistent expiry time?

Question

. 。 Answers to this question are eligible for a +50 reputation bounty. user349557 wants to to this question. 。

I'm using otplib: https://github.com/yeojz/otplib

Each user has its own secret stored in a database. When a user logs in for 2FA I run totp.generate(secret); on the user's secret. I set step to 5 minutes

const { totp } = require('otplib');
totp.options = { step: 300 }; // 5 minutes

How do I ensure everytime I generate a token it will start from 0 seconds? Currently its the time remaining for each token is between [0, 300] depending on the time I generate. Is totp not what I want to use?

For example, consider when a user generates a totp through logging in, their time remaining is 1 second. By the time they type in their pin the otp already changed, so it would error, even though they just generated it.

I want consistent time. When I generate a token, I want the token to be valid for 300 seconds not randomly [0,300]. How do I achieve this?

Answer 1

TOTP is not about generating a code that is valid for the next n seconds.

TOTP is about generating a key which, when input into an algorithm, outputs the code corresponding to the current window of n seconds.

That's why TOTP clients display the time remaining until the next window of n seconds.

If the user doesn't have time to input and submit the current code until the window expires, then they should wait for the next one.

You may be tempted to think that, if the user submits a code right after its window expires, then you could still accept it, but that's a bad practice .