TOTP tolerance to better accommodate drifts in client device clock

Feature: Allow configurable tolerance of TOTP time drift

Description: Provide a configuration option where the TOTP code validation check has a tolerance for a certain number of “past” and “future” values to accommodate client devices with a small time drift. Most open source TOTP implementations allow for this (such as boringauth::oath::TOTPBuilder - Rust).

Use-case: TOTP relies on client devices having proper date/time sync. Due to their popularity, Android phones are often used to run the TOTP apps (i.e., Google Authenticator). And Android has a very well know problem of having unreliable dates and times, since by default on many versions it uses the very unreliable NITZ protocol for this. So a big number of MFA authentication attempts fails for customers using Android due to small but big enough clock drifts that cause a strict TOTP code validation to fail. Allowing a configurable tolerance on Auth0 would allow developers to choose a better balance between security and UX to match their unique needs and risk appetite.

Thank you for the detailed feedback.

1 Like