Page MenuHomePhorge

Allow to increase the TOTPAuth timestep window size (now 1 minute)
Open, LowPublic


I like TOTP. I use FreeOTP+ from F-Droid and I'm very happy about it in 20+ websites.. but not in Phorge.

I don't think much users use the TOTPAuth method apart me on Phabricator/Phorge. I say this since the tool is very strict (positive) but I see the majority of the people in my office who just try to disable TOTP (negative) because of this frustrating use case:

  • everything is on fire, you need to quickly login and create a Task
  • it asks your TOTP
  • you take your TOTP app
  • you copy-paste the code

Now. For some reason, at this point you may be in front of this window:

Screenshot TOTP expired Phorge-Phabricator.png (107×609 px, 17 KB)

This happens for a lot of reasons. Examples:

  • You took more than 59.9 seconds
  • Phorge/Phabricator webserver has the wrong clock by 20+ seconds
  • your mobile app has the wrong clock by 20+ seconds
  • you tried to login at 06:00:50 AM generating the token at 06:01:10 AM
  • a weird combination of these things

To avoid this frustrating issue, I think most banks probably have a time window of at least 3 minutes (-1, current, and +1) and not just 60 seconds, since they want to prevent users from just delivering weird complains about the TOTP token expiration, and banks also want to prevent users from just asking to disable TOTP so they don't waste their time anymore, but also keeping this security measure on as much as possible.

In my opinion, 3 minutes is a better default than 1. Anyway, if there is no much consensus on increasing this limit (even if I would like to understand if somebody is happy about the current default), it would be just OK to allow to increase the default, introducing a small side-wide configuration, to allow me to set it to 3 and love TOTP again.

To be honest I'm not totally sure about what makes the current implementation so strict, but probably here there is the most-relevant part:$424-429

	  private function getTimestepWindowSize() {
	    // The user is allowed to provide a code from the recent past or the
	    // near future to account for minor clock skew between the client
	    // and server, and the time it takes to actually enter a code.
	    return 1;

I've also found this comment in a 2018 commit message that it's about this strictness:

Reduce the TOTP window from +/- 2 timesteps (allowing ~60 seconds of skew) to +/- 1 timestep (allowing ~30 seconds of skew).