top | item 13595453

(no title)

This may sound silly, but keep in mind that TOTP requires that both ends agree on the current time. I learned this the hard way when my authenticator stopped working consistently.

Apparently I had disabled my device's (the one with the authenticator app) "automatically set time from NTP" feature. Over time this resulted in my device's clock drifting X seconds away from the providers' clock(s), which in turn resulted in my occasionally using codes that were already X seconds expired.

discuss

eru|9 years ago

The counter based OTP is actually more secure, but Google doesn't go for them with end-users, because they can go out of sync (eg if your kid is idly flicking through a lot of them on your phone) and then have to be reset.