Hello，What does the Skew parameter mean?

Question

Hello，What does the Skew parameter mean?

nfhh opened this issue 3 years ago · comments

Hello ，What does the Skew parameter mean?

Kumo · Answer 1 · Fri Sep 24 2021 13:48:33 GMT+0800 (China Standard Time)

When Skew is 1 (actually, the default value for this library is 1), authentication will check the valid time range of the OTP, both before and after the current period, which means that the OTP password is still valid after the present period (e.g. period is 30 seconds, and the valid time range is [Before(30s) ~ Present(30s) ~ After(30s)]).

I recommend using ValidateCustom() which allows you to manually set the Skew to 0.

https://github.com/pquerna/otp/blob/master/totp/totp.go#L102-L109

counters = append(counters, uint64(counter))
for i := 1; i <= int(opts.Skew); i++ {
	counters = append(counters, uint64(counter+int64(i)))
	counters = append(counters, uint64(counter-int64(i)))
}