@samhenrigold @SamTheGeek Yeah, usually the server will accept all 3 of current, previous, and next codes as valid. That’s at the server’s discretion tho, they can choose to be stricter.

@samhenrigold @SamTheGeek It's usually more than 10-20 seconds in my experience. It's pretty common to accept current plus two codes in either direction, future and past.

Because time is an input into the TOTP algorithm that generated the code, admins generally build in some leniency for clocks not being totally in sync.

(Current time gets turned into a count of 30 second increments elapsed since the defined start time. That counter plus the shared secret get fed into the hashing algorithm.)