I've noticed that Microsoft's one-time passcodes (OTPs) keep working even after 30 seconds have passed, sometimes up to 45 seconds. I thought OTPs were supposed to expire after 30 seconds? Is this intentional for user convenience, or could it potentially pose a security risk?
5 Answers
Yeah, it’s pretty normal for OTP systems. Many of them allow you a little extra time. Not every device has perfectly synced time, so that slight overlap helps users.
I wouldn’t call it a major security risk, but it could be if someone shares old codes, thinking they’re inactive. Just be mindful of how you’re sharing information.
From what I've read, this seems to be intentional. A lot of people may take longer to enter their codes, and it’s designed to accommodate that. It's not unusual, just a convenience feature.
I’ve encountered this in various MFA setups as well. They often give you a grace period to use the previous code. It’s likely a balance between user experience and security.
There are certainly some concerns from a hacker's standpoint. If someone’s session takes longer than a few seconds, they could exploit that gap, so it's worth considering how these systems are set up.

Related Questions
Can't Load PhpMyadmin On After Server Update
Redirect www to non-www in Apache Conf
How To Check If Your SSL Cert Is SHA 1
Windows TrackPad Gestures