2fa timeout

2FA is a great idea, however, why does the 2FA code expire in 15 MINUTES when you’ve only got 30 seconds to input?? By the time my email client has received the code, it is often too late to input leading to 3 or more attempts to log in. Frustrating and unnecessary limitation.

2FA codes expire in 15 minutes for a few reasons:

  • Security: One-time passwords (OTPs) are designed to be used once and only once. This makes them more secure than traditional passwords, which can be reused and compromised. By expiring after 15 minutes, 2FA codes help to prevent attackers from using stolen or intercepted codes (ie: email is not encrypted by default, so people can actually intercept your email, including your ISP and email servers and read everything in it, including your 2FA codes, so they NEED to expire quickly. Same with SMS messages.
  • Usability: 2FA codes should be easy to use and convenient for users. By expiring after 15 minutes, users do not have to worry about remembering or managing a long list of codes.
  • Compatibility: 2FA codes are compatible with a wide range of devices and services. By expiring after 15 minutes, 2FA codes are less likely to cause compatibility problems.

However, it is true that the 30-second time limit to input a 2FA code can be tight, especially if the user is using a slow or unreliable internet connection, or if their email provider sucks and doesn’t update emails constantly but only once every X minutes or something.

I usually recommend people use an alternative since email is so insecure:

  • Use an authenticator app on their smartphone. Authenticator apps generate 2FA codes offline, so they are not affected by slow or unreliable internet connections.
  • Copy and paste the 2FA code from the authenticator app into the login form. This can save time and avoid typos.
  • Make sure that your smartphone’s time is set correctly. Authenticator apps use the time on the user’s smartphone to generate 2FA codes, so if the time is incorrect, the codes will not be valid. This is why they give 5-15 minutes leeway because people often use something with time out of sync and then the app and the server won’t match up with what an appropriate 2FA code should be.