top | item 33247191

(no title)

radranic | 3 years ago

You also need more than just a yes/no just for the authentication.

You should record the last successful count/time window to prevent code re-use. In the rare case that you expect clients to use devices to generate the codes that may be offline for a long time (or never connected dongles) you also need to compensate for personalized time drift for each device.

discuss

unethical_ban|3 years ago

Time drift is the clients responsibility. You’re letting perfect be the enemy of good - very few people use fully offline devices for years at a time, and if you’re not a bank, even something like a 2-5 minute diff is tolerable.