Hi @Sakthi ,
Thanks for reaching out and apologies for delay in response.
Your observation is correct and totally valid here.
As per all the documentation, TOTP generates the one-time passcode every 30 seconds, but nothing is mentioned about its expiry time.
As per TOTP algorithm, we can't control its expiry time and as name mentioned its one-time code which can be used only one time.
So even if you are entering the expired code, it is really not expired. It is just expired in the time slice when the app generated it, but Azure AD B2C will accept it within time tolerance (as per you up to 5 mins sometimes).
As this OTP can be used once, B2C will give you error if you try to use it next time.
One more factor is the code generation is based on system time, and while system time of Azure AD B2C can be synchronized with internet time servers, system time of mobile device can be out of sync for various reasons. Thus, Azure AD (B2C) has a time tolerance of to accept Time Based One Time Passwords during verification.
Hope this will help.
Thanks,
Shweta
--------------------------------------------------
Please remember to "Accept Answer" if answer helped you.