AD-B2C Custom Policy - Microsoft Authenticator TOTP valid for more than 30 seconds

Sakthi 121 Reputation points
2022-10-13T05:05:41.227+00:00

Hi,

We have used custom policy and have authenticator app as one of the MFA option to login to our application. We are using Microsoft Authenticator App and it generates the one-time passcode every 30 seconds. However, we are able to login to the application using the old TOTP that's generated before 30 secs.

I have verified checking the validity of the TOTP, but couldn't find any documentation on this. The code generated is sometimes valid up to 3 mins and sometimes up to 5 mins. Is the code not supposed to expire within 30 seconds?

Can you please clarify this, and refer me to any documentation.

@AmanpreetSingh-MSFT , @Olga Os - MSFT can you please help with this issue.

Microsoft Security | Microsoft Entra | Microsoft Entra External ID
Microsoft Security | Microsoft Authenticator
{count} votes

Accepted answer
  1. Shweta Mathur 30,296 Reputation points Microsoft Employee Moderator
    2022-11-04T07:16:32.093+00:00

    Hi @Sakthi ,

    Thanks for reaching out and apologies for delay in response.

    Your observation is correct and totally valid here.

    As per all the documentation, TOTP generates the one-time passcode every 30 seconds, but nothing is mentioned about its expiry time.

    As per TOTP algorithm, we can't control its expiry time and as name mentioned its one-time code which can be used only one time.
    So even if you are entering the expired code, it is really not expired. It is just expired in the time slice when the app generated it, but Azure AD B2C will accept it within time tolerance (as per you up to 5 mins sometimes).

    As this OTP can be used once, B2C will give you error if you try to use it next time.

    One more factor is the code generation is based on system time, and while system time of Azure AD B2C can be synchronized with internet time servers, system time of mobile device can be out of sync for various reasons. Thus, Azure AD (B2C) has a time tolerance of to accept Time Based One Time Passwords during verification.

    Hope this will help.

    Thanks,
    Shweta

    --------------------------------------------------

    Please remember to "Accept Answer" if answer helped you.

    1 person found this answer helpful.
    0 comments No comments

0 additional answers

Sort by: Most helpful

Your answer

Answers can be marked as Accepted Answers by the question author, which helps users to know the answer solved the author's problem.