I’ve set timewindow to 60 seconds and timestep to 30 seconds.
Tests show that OTP are accepted for at least 180 seconds.
If I reduce timewindow to values smaller 60 seconds, nearly no OTP is accepted at all.
There is no timeshift between server and clients(s). I’ve got to clients (cell + passbolt). Both generate the same OTP. Only the different settings on the server decide if these are accepted or not.
Why are OTP accepted much longer than timewindow defines (of >60)?
Why are timewindows smaller 60 seconds unusable?