I’m in the process of implementing TOTP based on RFC6238.
The RFC’s recommend time step is 30 seconds.
However, for addressing a resynchronization problem that we have,
if I use a larger time step, 15 mins
or if my verifier verify the code in 30 time slots (15 previous, the current and 29 future),
is there any vulnerability apart from the larger time window for brute-forcing?
The RFC document doesn’t seem to explicitly mention why the 30 sec is their recommendation.
Go to Source