We have used Azure AD-B2C and implemented MFA using custom policy. We have authenticator app as one of the MFA option to login to our application.
We are using Microsoft Authenticator App and it generates the one-time passcode every 30 seconds. However, we are able to login to the application using the old TOTP that's generated before 30 secs.
I have verified checking the validity of the TOTP, but couldn't find any documentation on this. The code generated is sometimes valid up to 3 mins and sometimes up to 5 mins. Is the code not supposed to expire within 30 seconds?
Can you please clarify this, and refer me to any documentation.
As per all the documentation, TOTP generates the one-time passcode every 30 seconds, but nothing is mentioned about its expiry time.
As per TOTP algorithm, we can't control its expiry time and as name mentioned its one-time code which can be used only one time. So even if you are entering the expired code, it is really not expired. It is just expired in the time slice when the app generated it, but Azure AD B2C will accept it within time tolerance (as per you up to 5 mins sometimes).
As this OTP can be used once, B2C will give you error if you try to use it next time.
One more factor is the code generation is based on system time, and while system time of Azure AD B2C can be synchronized with internet time servers, system time of mobile device can be out of sync for various reasons. Thus, Azure AD (B2C) has a time tolerance of to accept Time Based One Time Passwords during verification.