I like TOTP. I use FreeOTP+ from F-Droid and I'm very happy about it in 20+ websites.. but not Phorge.
I don't think much users use the TOTPAuth method apart me on Phabricator/Phorge. I say this since the tool is very strict (positive) but I see the majority of the people just tries to disable (negative) because of this frustrating use case:
* everything is on fire, you need to quickly login and create a Task
* it asks your TOTP
* you take your TOTP app
* you copy-paste the code
Now. For some reason, at this point you may be in front of to this window:
TODO ADD PIC
This happens for a lot of reasons. Examples:
- You took more than 59.9 seconds
- Phorge/Phabricator webserver has the wrong clock by 20+ seconds
- your mobile app has the wrong clock by 20+ seconds
- you tried to login at 06:00:50 AM generating the token at 06:01:10 AM
- a weird combination of these things
Note that, most banks definitely have a time window of at least 3 minutes and not just 60 seconds, since they want to prevent users from just delivering weird complains about the TOTP token expiration, and banks also want to prevent users from just asking to disable TOTP so they don't waste their time anymore, but also keeping this security measure on as much as possible.
In short:
In my opinion, 3 minutes is a better default than 1. But, I'm here to just suggest to allow to increase the default, from 1 minute, to 3, introducing a small side-wide configuration, if there is no much consensus on increasing this limit (even if I would like to understand if somebody is happy about the current default)