Wrong system time will instantly time-out MFA

Hi all,

We got a strange support request that a customer was not able to sign in on Auth0. She could pass the credential check, but when she needed to supply the 6-digit code, an error was shown that “Your login attempt has timed out”. There was no way to provide the code and this error was shown instantly.

After a call we found out that her system time was (around) 5 minutes ahead of mine. When trying to update my system time to +10 minutes, I got the same error.

Of course I could change my system time, but she could not change hers due to company policies. The system time was set on the CMOS clock instead internet time. Of course I would not recommend that, but we have to deal with their preference/set-up.

First of all, why is Auth0 depended on the system time of the client Windows computer? The 6-digit code is not generated here (I hope) and should be validated server side by Auth0.
Next, how can we resolve this issue so this will not happen in the future?
We, as a provider of a service, should not depend on any random clock setting by our customers.

Hopefully we can make an adjustment on our side to prevent this in the future.

Thank you very much :slight_smile:

Mathijs