When using the One-Time Password (OTP) Multi-Factor Authentication (MFA) factor during a login, an authenticator app generates codes every 30 seconds. Auth0 accepts the previous 30-second code to accommodate slight clock skew or user typing delay, effectively creating a 60-second window of validity. This allows a user to authenticate with a code after the initial 30 seconds pass and the authenticator app generates a newer code.

• Auth0
• Multi-Factor Authentication (MFA)
• One-Time Password (OTP)

Why does Auth0 accept OTP MFA codes after 30 seconds?

To accommodate slight clock skew or user typing delay, Auth0 accepts the previous 30-second code, effectively creating a 60-second window of validity. Stricter time windows enhance security but increase user friction from rejected codes. Looser windows improve the user experience but slightly increase the risk of code reuse attacks. Auth0 balances security posture and user experience by complying with RFC 6238.

Related References

• RFC 6238: TOTP: Time-Based One-Time Password Algorithm