invalidate old otp values

Question

invalidate old otp values

charith26 opened this issue 5 years ago · 2 comments

Hi,

I'm using this library to generate and validate totp values. I generate a new code every 60 seconds,

long currentBucket = Math.floorDiv(new SystemTimeProvider().getTime(), 60);
System.out.println( codeGenerator.generate(secret, currentBucket) );`

However, when I validate the codes, the old codes continue to be valid even after the new codes are generated. Is this the normal case or am I doing something wrong?

timeProvider = new SystemTimeProvider();
codeGenerator = new DefaultCodeGenerator(HashingAlgorithm.SHA1);
verifier = new DefaultCodeVerifier(codeGenerator, timeProvider);
verifier.setTimePeriod(60);
verifier.setAllowedTimePeriodDiscrepancy(5);
verifier.isValidCode(secret, totp);

thank you

Answer 1 · 2020-03-23T13:47:48.000Z

Hey,

To be clear, the setAllowedTimePeriodDiscrepancy method is asking for a discrepancy in periods (or buckets), so if your time period is 60 like the above, setting a discrepancy of 5, is saying that codes that were generated 5*60 seconds ago or less are valid.

Does this help?

Answer 2 · 2020-03-23T15:10:47.000Z

Hey, It does! Solved the issue. Thanks