Warum Duo 2FA Codes teilweise nicht angenommen werden
The Duo Mobile app's third-party TOTP code timer may not be in sync with other authenticator apps.
This can occur because the Duo Mobile App leverages the recommendations in RFC 6238 that support allowing for codes from 1-3 time steps (30-90 seconds) away from the "current time" to be accepted as valid in order to account for clock drift and network delay.
Many applications are accepting of codes that are at least a couple of time steps out of sync. Since we expect the validating side to allow codes that are slightly out of sync, the requirement has been deliberately loosened for when a new code is generated within Duo Mobile to be more user-friendly.
For example, instead of the user only seeing that they have a few seconds left to use a code, the Duo Mobile App will show each code generated as valid for 30 seconds from the moment it was first shown to the user.
The downside of this choice is that the codes shown in Duo Mobile App can be up to 29 seconds old, depending on precisely when the code was exposed within Duo Mobile. As a result, applications that use a very strict implementations of TOTP and do not allow out-of-sync codes will have a higher chance of rejecting the codes from Duo Mobile as "invalid". If this occurs with an application you use, you can reach out to the third-party application's support team to request their TOTP validators to include support for lookback windows.
Many applications are accepting of codes that are at least a couple of time steps out of sync. Since we expect the validating side to allow codes that are slightly out of sync, the requirement has been deliberately loosened for when a new code is generated within Duo Mobile to be more user-friendly.
For example, instead of the user only seeing that they have a few seconds left to use a code, the Duo Mobile App will show each code generated as valid for 30 seconds from the moment it was first shown to the user.
The downside of this choice is that the codes shown in Duo Mobile App can be up to 29 seconds old, depending on precisely when the code was exposed within Duo Mobile. As a result, applications that use a very strict implementations of TOTP and do not allow out-of-sync codes will have a higher chance of rejecting the codes from Duo Mobile as "invalid". If this occurs with an application you use, you can reach out to the third-party application's support team to request their TOTP validators to include support for lookback windows.
Lösung: DUO Mobile App neu starten, das hat bisher jedes Mal geholfen.