starred/google2fa

Fork 0

mirror of https://github.com/antonioribeiro/google2fa.git synced 2026-04-26 00:25:52 +03:00

[GH-ISSUE #47] problem with KEY_REGENERATION #21

New issue

Closed

opened 2026-02-25 20:32:12 +03:00 by kerem · 12 comments

kerem commented

2026-02-25 20:32:12 +03:00

Owner

Originally created by @parnus01 on GitHub (Aug 24, 2016).
Original GitHub issue: https://github.com/antonioribeiro/google2fa/issues/47

i change value from 30second such as 25,45 to reduce lifetime of generate code but it not work

help me please i am newbie for google2FA

Originally created by @parnus01 on GitHub (Aug 24, 2016). Original GitHub issue: https://github.com/antonioribeiro/google2fa/issues/47 i change value from 30second such as 25,45 to reduce lifetime of generate code but it not work help me please i am newbie for google2FA

kerem closed this issue

2026-02-25 20:32:12 +03:00

kerem commented

2026-02-25 20:32:12 +03:00

Author

Owner

@aik099 commented on GitHub (Aug 24, 2016):

It did work, but we're checking 2 codes before and 2 codes after matching one to compensate for network delay between user submitting the form and time, when it reaches the server.

@aik099 commented on GitHub (Aug 24, 2016): It did work, but we're checking 2 codes before and 2 codes after matching one to compensate for network delay between user submitting the form and time, when it reaches the server.

kerem commented

2026-02-25 20:32:12 +03:00

Author

Owner

@parnus01 commented on GitHub (Aug 24, 2016):

ok but i have another question , when is verify code and it valid,after that i use same code and it can verify too how can i customize for one verify for one code

@parnus01 commented on GitHub (Aug 24, 2016): ok but i have another question , when is verify code and it valid,after that i use same code and it can verify too how can i customize for one verify for one code

kerem commented

2026-02-25 20:32:12 +03:00

Author

Owner

@aik099 commented on GitHub (Aug 24, 2016):

Same code can be used any number of times, until it's expired (30 seconds by default). This is how algorithm (not specific to this library) works (time-based code generation).

You can configure window size (number of codes before/after this one are checked) via $window parameter, when calling verifyKey method (see https://github.com/antonioribeiro/google2fa/blob/master/src/Google2FA.php#L212) as well.

@aik099 commented on GitHub (Aug 24, 2016): Same code can be used any number of times, until it's expired (30 seconds by default). This is how algorithm (not specific to this library) works (time-based code generation). You can configure window size (number of codes before/after this one are checked) via `$window` parameter, when calling `verifyKey` method (see https://github.com/antonioribeiro/google2fa/blob/master/src/Google2FA.php#L212) as well.

kerem commented

2026-02-25 20:32:12 +03:00

Author

Owner

@parnus01 commented on GitHub (Aug 24, 2016):

until it's expired (30 seconds by default) why after that i can used i timer around 2 minute

but KEY_REGENERATION = 30 in my code

@parnus01 commented on GitHub (Aug 24, 2016): until it's expired (30 seconds by default) why after that i can used i timer around 2 minute but KEY_REGENERATION = 30 in my code

kerem commented

2026-02-25 20:32:12 +03:00

Author

Owner

@aik099 commented on GitHub (Aug 24, 2016):

The problem you describe does happen on demo page https://antoniocarlosribeiro.com/technology/google2fa as well?

@aik099 commented on GitHub (Aug 24, 2016): The problem you describe does happen on demo page https://antoniocarlosribeiro.com/technology/google2fa as well?

kerem commented

2026-02-25 20:32:12 +03:00

Author

Owner

@parnus01 commented on GitHub (Aug 24, 2016):

yes you can try after 30 minute it can used

@parnus01 commented on GitHub (Aug 24, 2016): yes you can try after 30 minute it can used

kerem commented

2026-02-25 20:32:12 +03:00

Author

Owner

@parnus01 commented on GitHub (Aug 24, 2016):

and i dont know if i channge $window What will be change ?

@parnus01 commented on GitHub (Aug 24, 2016): and i dont know if i channge $window What will be change ?

kerem commented

2026-02-25 20:32:12 +03:00

Author

Owner

@aik099 commented on GitHub (Aug 24, 2016):

yes you can try after 30 minute it can used

If generated code is valid past it's expiration time, then it's surely a bug.

and i dont know if i channge $window What will be change ?

Then your code won't be considered valid if all of these criteria are met:

your code is valid for 30 seconds
you submit code on 29th second of code validity
http request reaches web server only after 2 seconds

I think window of 1 is enough to compensate for this. That would allow code to be valid for 3x it's expiration.

@aik099 commented on GitHub (Aug 24, 2016): > yes you can try after 30 minute it can used If generated code is valid past it's expiration time, then it's surely a bug. > and i dont know if i channge $window What will be change ? Then your code won't be considered valid if all of these criteria are met: - your code is valid for 30 seconds - you submit code on 29th second of code validity - http request reaches web server only after 2 seconds I think window of `1` is enough to compensate for this. That would allow code to be valid for 3x it's expiration.

kerem commented

2026-02-25 20:32:12 +03:00

Author

Owner

@parnus01 commented on GitHub (Aug 24, 2016):

very confuse after i change KEY_REGENERATION to 45 60 seconds it can't verify although code just generate

@parnus01 commented on GitHub (Aug 24, 2016): very confuse after i change KEY_REGENERATION to 45 60 seconds it can't verify although code just generate

kerem commented

2026-02-25 20:32:12 +03:00

Author

Owner

@sokai commented on GitHub (Aug 24, 2016):

#23 "[Q] keyRegeneration period and window (key)" was the same intention …

@sokai commented on GitHub (Aug 24, 2016): #23 "[Q] keyRegeneration period and window (key)" was the same intention …

kerem commented

2026-02-25 20:32:12 +03:00

Author

Owner

@parnus01 commented on GitHub (Aug 25, 2016):

i can't change keyRegeneration by 30 right ?

@parnus01 commented on GitHub (Aug 25, 2016): i can't change keyRegeneration by 30 right ?

kerem commented

2026-02-25 20:32:12 +03:00

Author

Owner

@antonioribeiro commented on GitHub (Jun 17, 2017):

Unless you can control the lifetime of your keys in the app your users will use to check the keys (Google Authenticator?), you should never touch key regeneration, those 30 seconds of lifetime for a key are used worldwide.

If you need the password to be available for a little more time, you have to play with window.

I have built a new playground page to help you with this: https://pragmarx.com/google2fa

@antonioribeiro commented on GitHub (Jun 17, 2017): Unless you can control the lifetime of your keys in the app your users will use to check the keys (Google Authenticator?), you should never touch key regeneration, those 30 seconds of lifetime for a key are used worldwide. If you need the password to be available for a little more time, you have to play with `window`. I have built a new playground page to help you with this: https://pragmarx.com/google2fa

kerem referenced this issue

2026-02-25 20:32:30 +03:00

[PR #21] [MERGED] Add '$encoding' parameter to getQRCodeInline() to avoid CJK issues. #109

kerem referenced this issue

2026-03-01 17:49:20 +03:00

[PR #21] [MERGED] Add '$encoding' parameter to getQRCodeInline() to avoid CJK issues. #344

kerem referenced this issue

2026-03-14 12:14:07 +03:00

[PR #21] [MERGED] Add '$encoding' parameter to getQRCodeInline() to avoid CJK issues. #579