MFA is too strict on clock

We use Auth0’s MFA with TOTP (e.g. Google Authenticator), however it is super strict with accepting only the current code. Whereas most other MFA/2FA sign-ins accept the previous code and the next code for a few seconds, just in case the user’s clock is a few seconds out. I’m constantly tripping over this. For usability’s sake, can it have more leeway like the others?

Auth0 seems unusually strict compared to MFA done with Google, GitHub etc. In fact, I’m certain that for a while Auth0 server’s clock was almost 10s out, for several months last year, compared to my iPhone which was correct within a second. This meant I could only use the code in the first 20s of the 30s period.

Recently I started using a Yubikey and it tries to be helpful by giving the new code about 5 seconds before a period starts. However now Auth0’s clock is correct, that means Auth0 doesn’t accept this code for 5s. It is maddening that Auth0 is so strict!

I’ve not done the maths, but it seems a very minor relaxation of the security to have a bit of tolerance here, to benefit usability in a big way. And Google, GitHub etc all agree.

Hi @davidread,

Thank you for the feedback :smile: . I submitted it to the product team, they may reach out to you for further context.

If you have more product feedback in the future, you can submit it here.

Warm Regards,
Dan

This topic was automatically closed 15 days after the last reply. New replies are no longer allowed.