[GH-ISSUE #23] [Q] keyRegeneration period and window (key) #481

New issue

Closed

opened 2026-03-14 11:54:20 +03:00 by kerem · 3 comments

kerem commented 2026-03-14 11:54:20 +03:00

Owner

Copy link

Originally created by @sokai on GitHub (Jan 25, 2016).
Original GitHub issue: https://github.com/antonioribeiro/google2fa/issues/23

Hi there! Yesterday I played a bit with G2FA and now have a question. (I don't know another place to ask and I know that the original code was made by a Phil …)

Background of my understanding

G2FA generates (default) every 30 secs (= keyRegeneration) a new OTP with a valid. time/period from now (= timeStamp) up to now + 4x30 secs (now is rounded down to the last 30st second).

Example one

now: 11:03:54
valid from: 11:03:30
valid up to: 11:05:30

Example two

now: 11:03:15
valid from: 11:03:00
valid up to: 11:05:00

Questions

Examples

With the above examples my expected valid up to-time is not true. My OTPs always are 30 secs longer valid.

example one = up to 11:06:00
example two = up to 11:05:30

→ So I'm missing something or is my understanding wrong?

My scenario

Is a scenario where OTPs are generated every second and are valid for 20 secs realisable/feasible. And if yes, how can I do it?

Tanks a lot for your help and best regards!

Originally created by @sokai on GitHub (Jan 25, 2016). Original GitHub issue: https://github.com/antonioribeiro/google2fa/issues/23 Hi there! Yesterday I played a bit with G2FA and now have a question. (I don't know another place to ask and I know that the original code was made by a Phil …) ### Background of my understanding G2FA generates (default) every 30 secs (= `keyRegeneration`) a new OTP with a valid. time/period from now (= `timeStamp`) up to `now + 4x30 secs` (`now` is rounded down to the last 30st second). #### Example one ``` now: 11:03:54 valid from: 11:03:30 valid up to: 11:05:30 ``` #### Example two ``` now: 11:03:15 valid from: 11:03:00 valid up to: 11:05:00 ``` ### Questions #### Examples With the above examples my expected `valid up to`-time is not true. My OTPs always are **30 secs longer valid**. ``` example one = up to 11:06:00 example two = up to 11:05:30 ``` → So I'm missing something or is my understanding wrong? #### My scenario Is a scenario where OTPs are generated **every second** and are **valid for 20 secs** realisable/feasible. And if yes, how can I do it? Tanks a lot for your help and best regards!

kerem closed this issue 2026-03-14 11:54:25 +03:00

kerem commented 2026-03-14 11:54:31 +03:00

Author

Owner

Copy link

@aik099 commented on GitHub (Mar 11, 2016):

The window concept is a way to compensate following:

• time, how long it takes to submit your code back to server for checking (if you submit in last second code is valid, then without window check would fail)
• if time on server is out of sync (a bit) with time on user's computer

<!-- gh-comment-id:195350738 --> @aik099 commented on GitHub (Mar 11, 2016): The window concept is a way to compensate following: - time, how long it takes to submit your code back to server for checking (if you submit in last second code is valid, then without window check would fail) - if time on server is out of sync (a bit) with time on user's computer

kerem commented 2026-03-14 11:54:36 +03:00

Author

Owner

Copy link

@antonioribeiro commented on GitHub (Jul 17, 2016):

30 seconds is the OTP general lifetime, if you change it on your end, you will not be able to use things like Google Authenticator. This is the first window.

There's a second window, to solve the problems pointed by @aik099: your OTP is valid 4 seconds before the 30s window starts and lasts 4 seconds after the window has ended.

<!-- gh-comment-id:233208432 --> @antonioribeiro commented on GitHub (Jul 17, 2016): 30 seconds is the OTP general lifetime, if you change it on your end, you will not be able to use things like Google Authenticator. This is the first window. There's a second window, to solve the problems pointed by @aik099: your OTP is valid 4 seconds before the 30s window starts and lasts 4 seconds after the window has ended.

kerem commented 2026-03-14 11:54:41 +03:00

Author

Owner

Copy link

@ghost commented on GitHub (Sep 15, 2016):

Using lifetime of 30 seconds is fine, because most apps (FreeOTP) use 30 seconds to show "valid graph". Using
$google2fa->verifyKey($key_from_user, $entered_key, 0)

will make the key only valid for 30 seconds, but keep in mind many companies use some kind of "offset" as mentioned above (time for submitting request etc.).

<!-- gh-comment-id:247433642 --> @ghost commented on GitHub (Sep 15, 2016): Using lifetime of 30 seconds is fine, because most apps (FreeOTP) use 30 seconds to show "valid graph". Using `$google2fa->verifyKey($key_from_user, $entered_key, 0)` will make the key only valid for 30 seconds, but keep in mind many companies use some kind of "offset" as mentioned above (time for submitting request etc.).

Sign in to join this conversation.

No Branch/Tag specified

Branches Tags

9.x

fix-coverage

bump-to-version-9

10.x

reformat-code

add-linting

reorder-imports

8.x

install-php-84

test-on-php84

github-actions

master

7.x

pspstan

revert-124-123-google2fa_fix

v9.0.0

v8.0.3

v8.0.2

v8.0.1

8.0.0

v7.0.0

v6.1.3

v6.1.0

v6.0.1

v6.0.0

v4.0.2

v4.0.1

v5.0.0

v4.0.0

v3.0.3

v3.0.2

v3.0.1

v3.0.0

v2.0.7

v2.0.6

v2.0.5

v2.0.4

v2.0.3

v2.0.2

v2.0.1

v2.0.0

v1.0.1

v1.0.0

v0.8.1

v0.8.0

v0.7.1

v0.7.0

v0.6.0

v0.5.0

v0.1.0

Labels

Clear labels   

bug

  

pull-request

Mirrored from GitHub Pull Request

No labels

bug

pull-request

Milestone

Clear milestone

No items

No milestone

Projects

Clear projects

No items

No project

Assignees

Clear assignees

No assignees

1 participant

Notifications

Subscribe

Due date

The due date is invalid or out of range. Please use the format "yyyy-mm-dd".

No due date set.

Dependencies

No dependencies set.

Reference

starred/google2fa#481

No description provided.