TOTP Tutorial

Overview

The passlib.totp module provides a set of classes for adding two-factor authentication (2FA) support into your application, using the widely supported TOTP specification (RFC 6238).

This module is based around the TOTP class, which supports a wide variety of use-cases, including:

  • Creating & transferring configured TOTP keys to client devices.
  • Generating & verifying tokens.
  • Securely storing configured TOTP keys.

See also

The passlib.totp API reference, which lists all details of all the classes and methods mentioned here.

Walkthrough

There are a number of different ways to integrate TOTP support into a server application. The following is a general outline of one of way to do this. Some details and alternate choices are omitted for brevity, see the remaining sections of this tutorial for more detailed information about these steps.

1. Generate an Application Secret

First, generate a strong application secret to use when encrypting TOTP keys for storage. Passlib offers a generate_secret() method to help with this:

>>> from passlib.totp import generate_secret
>>> generate_secret()
'pO7SwEFcUPvIDeAJr7INBj0TjsSZJr1d2ddsFL9r5eq'

This key should be assigned a numeric tag (e.g. “1”, a timestamp, or an iso date such as “2016-11-10”); and should be stored in a file separate from your application’s configuration. Ideally, after this file has been loaded by the TOTP constructor below, the application should give up access permissions to the file.

Example file contents:

2016-11-10: pO7SwEFcUPvIDeAJr7INBj0TjsSZJr1d2ddsFL9r5eq

This key will be used in a later step to encrypt TOTP keys for storage in your database. The sequential tag is used so that if your database (or the application secrets) are ever compromised, you can add a new application secret (with a newer tag), and gracefully migrate the compromised TOTP keys.

See also

For more details see Application Secrets (below).

2. TOTP Factory Initialization

When your application is being initialized, create a TOTP factory which is configured for your application, and is set up to use the application secrets defined in step 1. You can also set a default issuer here, instead of having to provide one explicitly in step 4:

>>> from passlib.totp import TOTP
>>> TotpFactory = TOTP.using(secrets_path='/path/to/secret/file/in/step/1',
...                          issuer="myapp.example.org")

The TotpFactory object returned by TOTP.using() is actually a subclass of TOTP itself, and has the same methods and attributes. The main difference is that (because an application secret has been provided), the TOTP key will automatically be encrypted / decrypted when serializing the object to disk.

See also

For more details see Creating TOTP Instances (below).

3. Rate-Limiting & Cache Initialization

As part of your application initialization, it critically important to set up infrastructure to rate limit how many token verification attempts a user / ip address is allowed to make, otherwise TOTP can be bypassed.

See also

For more details see Why Rate-Limiting is Critical (below)

It’s also strongly recommended to set up a per-user cache which can store the last matched TOTP counter (an integer) for a period of a few minutes (e.g. using dogpile.cache, memcached, redis, etc). This cache is used by later steps to protect your application during a narrow window of time where TOTP would otherwise be vulnerable to a replay attack.

See also

For more details see Preventing Token Reuse (below)

4. Setting up TOTP for a User

To set up TOTP for a new user: create a new TOTP object and key using TOTP.new(). This can then be rendered into a provisioning URI, and transferred to the user’s TOTP client of choice.

Rendering to a provisioning URI using TOTP.to_uri() requires picking an “issuer” string to uniquely identify your application, and a “label” string to uniquely identify the user. The following example creates a new TOTP instance with a new key, and renders it to a URI, plugging in application-specific information.

Using the TotpFactory object set up in step 2:

>>> totp = TotpFactory.new()
>>> uri = totp.to_uri(issuer="myapp.example.org", label="username")
>>> uri
'otpauth://totp/username?secret=D6RZI4ROAUQKJNAWQKYPN7W7LNV43GOT&issuer=myapp.example.org'

This URI is generally passed to a QRCode renderer, though as fallback it’s recommended to also display the key using TOTP.pretty_key().

See also

For more details, and more about QR Codes, see Configuring Clients (below).

5. Storing the TOTP object

Before enabling TOTP for the user’s account, it’s good practice to first have the user successfully verify a token (per step 6); thus confirming their client h as been correctly configured.

Once this is done, you can store the TOTP object in your database. This can be done via the TOTP.to_json() method:

>>> totp.to_json()
'{"enckey":{"c":14,"k":"FLEQC3VO6SIT3T7GN2GIG6ONPXADG5CZ","s":"UL2J4MZG4SONHOWXLKFQ","t":"1","v":1},"type":"totp","v":1}'

Note that if there is no application secret configured, the key will not be encrypted, and instead look like this:

>>> totp.to_json()
'{"key":"D6RZI4ROAUQKJNAWQKYPN7W7LNV43GOT","type":"totp","v":1}'

To ensure you always save an encrypted token, you can use totp.to_json(encrypted=True).

See also

For more details see Storing TOTP instances

6. Verifying a Token

Whenever attempting to verify a token provided by the user, first load the serialized TOTP object from the database (stored step 5), as well as the last counter value from the cache (set up in step 3). You should use these values to call the TOTP.verify() method.

If verify() succeeds, it will return a TotpMatch object. This object contains information about the match, including TotpMatch.counter (a time-dependant integer tied to this token), and TotpMatch.cache_seconds (minimum time this counter should be cached).

If verify() fails, it will raise one of the passlib.exc.TokenError subclasses indicating what went wrong. This will be one of three cases: the token was malformed (e.g. too few digits), the token was invalid (didn’t match), or a recent token was reused.

A skeleton example of how this should function:

>>> from passlib.exc import TokenError, MalformedTokenError

>>> # pull information from your application
>>> token = # ... token string provided by user ...
>>> source = # ... load totp json string from database ...
>>> last_counter = # ... load counter value from cache ...

>>> # ... check attempt rate limit for this account / address (per step 3 above) ...

>>> # using the TotpFactory object defined in step 2, invoke verify
>>> try:
...     match = TotpFactory.verify(token, source, last_counter=last_counter)
... except MalformedTokenError as err:
...     # --- malformed token ---
...     # * inform user, e.g. by displaying str(err)
... except TokenError as err:
...     # --- invalid or reused token ---
...     # * add to rate limit counter
...     # * inform user, e.g. by displaying str(err)
... else:
...     # --- successful match ---
...     # * reset rate-limit counter
...     # * store 'match.counter' in per-user cache for at least 'match.cache_seconds'

See also

For more details see Verifying Tokens (below)

Alternate Caching Strategy

As an alternative to storing match.counter in the cache, applications using a cache such as memcached may wish to simply set a key based on user + token for match.cache_seconds, and reject any tokens coming in for that user who are marked in the cache.

In that case, they should run the tokens through TOTP.normalize_token() first, to make sure the token strings are normalized before comparison. In this case, the skeleton example can be amended to:

>>> # pull information from your application
>>> token = # ... token string provided by user ...
>>> source = # ... load totp json string from database ...
>>> user_id = # ... user identifier for cache

>>> # ... check attempt rate limit for this account / address (per step 3 above) ...

>>> # check token format
>>> try:
...     token = TotpFactory.normalize_token(token)
... except MalformedTokenError as err:
...     # --- malformed token ---
...     # * inform user, e.g. by displaying str(err)
...     return

>>> # check if token has been used, using app-defined present_in_cache() helper
>>> cache_key = "totp-token-%s-%s" % (user_id, token)
>>> if present_in_cache(cache_key):
...     # * add to rate limit counter
...     # * present 'token already used' message
...     return

>>> # using the TotpFactory object defined in step 2, invoke verify
>>> try:
...     match = TotpFactory.verify(token, source)
... except TokenError as err:
...     # --- invalid token ---
...     # * add to rate limit counter
...     # * inform user, e.g. by displaying str(err)
... else:
...     # --- successful match ---
...     # * reset rate-limit counter
...     # * set 'cache_key' in per-user cache for at least 'match.cache_seconds'

7. Reserializing Existing Objects

An organization’s security policy may require that a developer periodically change the application secret key used to decrypt/encrypt TOTP objects. Alternately, the application secret may become compromised.

In either case, a new application secret will need to be created, and a new tag assigned (per step 1). Any deprecated secret(s) will need to be retained in the collection passed to the TotpFactory, in order to be able to decrypt existing TOTP objects.

Note

You can verify which secret is will be used to encrypt new keys by inspecting tag = TotpFactory.wallet.default_tag.

Once the new secret has been added, you will need to update all the serialized TOTP objects in the database, decrypting them using the old secret, and encrypting them with the new one.

This can be done in a few ways. The following skeleton example gives a simple loop that can be used, which would ideally be run in a process that’s separate from your normal application:

>>> # presuming query_user_totp() queries your database for all user rows,
>>> # and update_user_totp() updates a specific row.
>>> for user_id, totp_source in query_user_totp():
>>>     totp = TotpFactory.from_source(totp_source)
>>>     if totp.changed:
>>>         update_user_totp(user_id, totp.to_json())

This uses the TOTP.changed attribute, which is set to True if TOTP.from_source() (or other constructor) detects the source data is encrypted with an old secret, is using outdated encryption settings, or is stored in deprecated serialization format.

Some refinements that may need to be made for specific situations:

  • For applications with a large number of users, it may be faster to accumulate (user_id, totp.to_json()) pairs in a buffer, and do a bulk SQL update once every 100-1000 rows.
  • Depending on the dbapi layer in use, it may take care of JSON serialization for you, in which case you’ll need to use totp.to_dict() instead of totp.to_json().

Once all references to a deprecated secret have been replaced, it can be removed from the secrets file.

See also

For more details see Step 1 (above), or Application Secrets (below)

Creating TOTP Instances

Direct Creation

Creating TOTP instances is straightforward: The TOTP class can be called directly to constructor a TOTP instance from it’s component configuration:

>>> from passlib.totp import TOTP
>>> totp = TOTP(key='GVDOQ7NP6XPJWE4CWCLFFSXZH6DTAZWM', digits=9)
>>> totp.generate()
'29387414'

You can also use a number of the alternate constructors, such as TOTP.new() or TOTP.from_source():

>>> # create new instance w/ automatically generated key
>>> totp = TOTP.new()

>>> # or deserializing it from a string (e.g. the output of TOTP.to_json)
>>> totp = TOTP.from_source('{"key":"D6RZI4ROAUQKJNAWQKYPN7W7LNV43GOT","type":"totp","v":1}')

Once created, you can inspect the object for it’s configuration and key:

>>> otp.base32_key
'GVDOQ7NP6XPJWE4CWCLFFSXZH6DTAZWM'
>>> otp.alg
"sha1"
>>> otp.period
30

If you want a non-standard alg or period, you can specify it via the constructor. You can also create TOTP instances from an existing key (see the TOTP constructor’s key and format options for more details):

>>> otp2 = TOTP(new=True, period=60, alg="sha256")
>>> otp2.alg
'sha256'
>>> otp2.period
60

>>> otp3 = TOTP(key='GVDOQ7NP6XPJWE4CWCLFFSXZH6DTAZWM')

Using a Factory

Most applications will have some default configuration which they want all TOTP instances to have. This includes application secrets (for encrypting TOTP keys for storage), or setting a default issuer label (for rendering URIs).

Instead of having to call the TOTP constructor each time and provide all these options, you can use the TOTP.using() method. This method takes in a number of the same options as the TOTP constructor, and returns a TOTP subclass which has these options pre-programmed in as defaults:

>>> # here we create a TOTP factory with a random encryption secret and a default issuer
>>> from passlib.totp import TOTP, generate_secret
>>> TotpFactory = TOTP.using(issuer="myapp.example.org", secrets={"1": generate_secret()})

Since this object is a subclass of TOTP, you can use all it’s normal methods. The difference is that it will integrate the information provided by using():

>>> totp = TotpFactory.new()
>>> totp.issuer
'myapp.example.org'

>>> totp.to_json()
'{"enckey":{"c":14,"k":"FLEQC3VO6SIT3T7GN2GIG6ONPXADG5CZ","s":"UL2J4MZG4SONHOWXLKFQ","t":"1","v":1},"type":"totp","v":1}'

In typical usage, a server application will want to create a TotpFactory as part of it’s initialization, and then use that class for all operations, instead of referencing TOTP directly.

See also

Configuring Clients

Once a TOTP instance & key has been generated on the server, it needs to be transferred to the client TOTP program for installation. This can be done by having the user manually type the key into their TOTP client, but an easier method is to render the TOTP configuration to a URI stored in a QR Code.

Rendering URIs

The KeyUriFormat is a de facto standard for encoding TOTP keys & configuration information into a string. Once the URI is rendered as a QR Code, it can easily be imported into many smartphone clients (such as Authy and Google Authenticator) via the smartphone’s camera.

When transferring the TOTP configuration this way, you will need to provide unique identifiers for both your application, and the user’s account. This allows TOTP clients to distinguish this key from the others in it’s database. This can be done via the issuer and label parameters of the TOTP.to_uri() method.

The issuer string should be a globally unique label for your application (e.g. it’s domain name). Since the issuer string shouldn’t change across users, you can create a customized TOTP factory, and provide it with a default issuer. (If you skip this step, the issuer will need to be provided at every TOTP.to_uri() call):

>>> from passlib.totp import TOTP
>>> TotpFactory = TOTP.using(issuer="myapp.example.org")

Once this is done, rendering to a provisioning URI just requires picking a label for the URI. This label should identify the user within your application (e.g. their login or their email):

>>> # assume an existing TOTP instance has been created
>>> totp = TotpFactory.new()

>>> # serialize the object to a URI, along with label for user
>>> uri = totp.to_uri(label="demo-user")
>>> uri
'otpauth://totp/demo-user?secret=GVDOQ7NP6XPJWE4CWCLFFSXZH6DTAZWM&issuer=myapp.example.org'

Rendering QR Codes

This URI can then be encoded as a QR Code, using various python & javascript qrcode libraries. As an example, the following uses PyQrCode to render the URI to the console as a text-based QR code:

>>> import pyqrcode
>>> uri = totp.to_uri(label="demo-user")
>>> print(pyqrcode.create(uri).terminal(quiet_zone=1))
... very large ascii-art qrcode here...

As a fallback to the QR Code, it’s recommended to alternately / also display the key itself, so that users with camera-less TOTP clients can still enter it. The TOTP.pretty_key() method is provided to help with this:

>>> totp.pretty_key()
'D6RZ-I4RO-AUQK-JNAW-QKYP-N7W7-LNV4-3GOT'

Note that if you use a non-default alg, digits, or period values, these should also be displayed next to the key.

Parsing URIs

On the client side, passlib offers the TOTP.from_uri() constructor creating a TOTP object from a provisioning URI. This can also be useful for testing URI encoding & output during development:

>>> # create new TOTP instance from a provisioning uri:
>>> from passlib.totp import TOTP
>>> totp = TOTP.from_uri('otpauth://totp/demo-user?secret=GVDOQ7NP6XPJWE4CWCLFFSXZH6DTAZWM&issuer=myapp.example.org')
>>> otp.base32_key
'GVDOQ7NP6XPJWE4CWCLFFSXZH6DTAZWM'
>>> otp.alg
"sha1"
>>> otp.period
30
>>> otp.generate().token
'897453'

Storing TOTP instances

Once a TOTP object has been created, it inevitably needs to be stored in a database. Using to_uri() to serialize it to a URI has a few disadvantages - it always includes an issuer & a label (wasting storage space), and it stores the key in an unencrypted format.

JSON Serialization

To help with this passlib offers a way to serialize TOTP objects to and from a simple JSON format, which can optionally encrypt the keys for storage.

To serialize a TOTP object to a string, use TOTP.to_json():

>>> from passlib.totp import TOTP
>>> totp = TOTP.new()
>>> data = totp.to_json()
>>> data
'{"key":"GVDOQ7NP6XPJWE4CWCLFFSXZH6DTAZWM","type":"totp","v":1}'

This string can be stored in a database, and then deserialized as needed using the TOTP.from_json() constructor:

>>> totp2 = TOTP.from_json(data)
>>> totp2.base32_key
'GVDOQ7NP6XPJWE4CWCLFFSXZH6DTAZWM'

There are also corresponding TOTP.to_dict() and TOTP.from_dict() methods for applications that want to serialize the object without converting it all the way into a JSON string.

Caution

The above procedure should only be used for development purposes, as it will NOT encrypt the keys; and the IETF strongly recommends encrypting the keys for storage (RFC-6238 sec 5.1). Encrypting the keys is covered below.

Application Secrets

The one thing lacking about the example above is that the resulting data contained the plaintext key. If the server were compromised, the TOTP keys could be used directly to impersonate the user. To solve this, Passlib offers a method for providing an application-wide secret that TOTP.to_json() will use to encrypt keys.

Per Step 1 of the walkthrough (above), applications can use the generate_secret() helper to create new secrets. All existing secrets (the current one, and any deprecated / compromised ones) should be assigned an identifying tag, and stored in a dict or file.

Ideally, these secrets should be stored in a location which the application’s process does not have access to once it has been initialized. Once this data is loaded, applications can create a factory function using TOTP.using(), and provide these secrets as part of it’s arguments. This can take the form of a file path, a loaded string, or a dictionary:

>>> # load from dict
>>> from passlib.totp import TOTP
>>> TotpFactory = TOTP.using(secrets={"1": "'pO7SwEFcUPvIDeAJr7INBj0TjsSZJr1d2ddsFL9r5eq'"})

>>> # load from filepath
>>> TotpFactory = TOTP.using(secrets_path="/path/to/secret/file")

The secrets and secrets_path values can be anything accepted by the AppWallet constructor (the internal class that’s used to load & store the application secrets in memory). An instance of this object is accessible for inspection from the TOTP.wallet attribute of each factory:

>>> TotpFactory.wallet
<passlib.totp.AppWallet at 0x2ba5310>

Encrypting Keys

Once you have a TOTP factory configured with one or more application secrets, any objects you create through the factory will automatically have access to the application secrets, and will use them to encrypt the key when serializing to json.

Assuming TotpFactory is set up from the previous step, contrast the output of this with the plain JSON serialization example above:

>>> totp = TotpFactory.new()
>>> data = totp.to_json()
>>> data
'{"enckey":{"c":14,"k":"FLEQC3VO6SIT3T7GN2GIG6ONPXADG5CZ","s":"UL2J4MZG4SONHOWXLKFQ","t":"1","v":1},"type":"totp","v":1}'

This data can be stored in the database like normal, but will require access to the application secret in order to decrypt:

>>> data = '{"enckey":{"c":14,"k":"FLEQC3VO6SIT3T7GN2GIG6ONPXADG5CZ","s":"UL2J4MZG4SONHOWXLKFQ","t":"1","v":1},"type":"totp","v":1}'
>>> totp = TotpFactory.from_source(data)
>>> totp.base32_key
'FLEQC3VO6SIT3T7GN2GIG6ONPXADG5CZ'

Whereas trying to decode without a secret configured will result in:

>>> totp = TOTP.from_source(data)
...
TypeError: no application secrets present, can't decrypt TOTP key

Note that when loading TOTP objects this way, you can check the TOTP.changed attr to see if the object needs to be re-serialized (e.g. deprecated secret, too few encryption rounds, deprecated serialization format).

Generating Tokens (Client-Side Only)

Finally, the whole point of TOTP: generating and verifying tokens. The TOTP protocol generates a new time & key -dependant token every <period> seconds (usually 30).

Generating a totp token is done with the TOTP.generate() method, which returns a TotpToken instance. This object looks and acts like a tuple of (token, expire_time), but offers some additional informational attributes:

>>> from passlib import totp
>>> otp = TOTP(key='GVDOQ7NP6XPJWE4CWCLFFSXZH6DTAZWM')

>>> # generate a TOTP token for the current timestamp
>>> # (your output will vary based on system time)
>>> otp.generate()
<TotpToken token='589720' expire_time=1475342400>

>>> # to get just the token, not the TotpToken instance...
>>> otp.generate().token
'359275'

>>> # you can generate a token for a specific time as well...
>>> otp.generate(time=1475338840).token
'359275'

See also

For more details, see the TOTP.generate() method.

Verifying Tokens

In order for successful authentication, the user must generate the token on the client, and provide it to your server before the TOTP.period ends.

Since this there will always be a little transmission delay (and sometimes client clock drift) TOTP verification usually uses a small verification window, allowing a user to enter a token a few seconds after the period has ended. This window is usually kept as small as possible, and in passlib defaults to 30 seconds.

Match & Verify

To verify a token a user has provided, you can use the TOTP.match() method. If unsuccessful, a passlib.exc.TokenError subclass will be raised. If successful, this will return a TotpMatch instance, with details about the match. This object acts like a tuple of (counter, timestamp), but offers some additional informational attributes:

>>> # NOTE: all of the following was done at a fixed time, to make these
>>> #       examples repeatable. in real-world use, you would omit the 'time' parameter
>>> #       from all these calls.

>>> # assuming TOTP key & config was deserialized from database store
>>> from passlib import totp
>>> otp = TOTP(key='GVDOQ7NP6XPJWE4CWCLFFSXZH6DTAZWM')

>>> # user provides malformed token:
>>> otp.match('359', time=1475338840)
...
MalformedTokenError: Token must have exactly 6 digits

>>> # user provides token that isn't valid w/in time window:
>>> otp.match('123456', time=1475338840)
...
InvalidTokenError: Token did not match

>>> # user provides correct token
>>> otp.match('359275', time=1475338840)
<TotpMatch counter=49177961 time=1475338840 cache_seconds=60>

As a further optimization, the TOTP.verify() method allows deserializing and matching a token in a single step. Not only does this save a little code, it has a signature much more similar to that of Passlib’s passlib.ifc.PasswordHash.verify().

Typically applications will provide the TOTP key in whatever format it’s stored by the server. This will usually be a JSON string (as output by TOTP.to_json()), but can be any format accepted by TOTP.from_source(). As an example:

>>> # application loads json-serialized TOTP key
>>> from passlib.totp import TOTP
>>> totp_source = '{"v": 1, "type": "totp", "key": "otxl2f5cctbprpzx"}'

>>> # parse & match the token in a single call
>>> match = TOTP.verify('123456', totp_source)

See also

For more details, see the TOTP.match() and TOTP.verify() methods.

Preventing Token Reuse

Even if an attacker is able to observe a user entering a TOTP token, it will do them no good once period + window seconds have passed (typically 60). This is because the current time will now have advanced far enough that TOTP.match() will never match against the stolen token.

However, this leaves a small window in which the attacker can observe and replay a token, successfully impersonating the user. To prevent this, applications are strongly encouraged to record the latest TotpMatch.counter value that’s returned by the TOTP.match() method.

This value should be stored per-user in a temporary cache for at least period + window seconds. (This is typically 60 seconds, but for an exact value, applications may check the TotpMatch.cache_seconds value returned by the TOTP.match() method).

Any subsequent calls to verify should check this cache, and pass in that value to TOTP.match()‘s “last_counter” parameter (or None if no value found). Doing so will ensure that tokens can only be used once, preventing replay attacks.

As an example:

>>> # NOTE: all of the following was done at a fixed time, to make these
>>> #       examples repeatable. in real-world use, you would omit the 'time' parameter
>>> #       from all these calls.

>>> # assuming TOTP key & config was deserialized from database store
>>> from passlib.totp import TOTP
>>> otp = TOTP(key='GVDOQ7NP6XPJWE4CWCLFFSXZH6DTAZWM')

>>> # retrieve per-user counter from cache
>>> last_counter = ...consult application cache...

>>> # if user provides valid value, a TotpMatch object will be returned.
>>> # (if they provide an invalid value, a TokenError will be raised).
>>> match = otp.match('359275', last_counter=last_counter, time=1475338830)
>>> match.counter
49177961
>>> match.cache_seconds
60

>>> # application should now cache the new 'match.counter' value
>>> # for at least 'match.cache_seconds'.

>>> # now that last_counter has been properly updated: say that
>>> # 10 seconds later attacker attempts to re-use token user just entered:
>>> last_counter = 49177961
>>> match = otp.match('359275', last_counter=last_counter, time=1475338840)
...
UsedTokenError: Token has already been used, please wait for another.

See also

For more details, see the TOTP.match() method; for more examples, see Step 6 above.

Why Rate-Limiting is Critical

The TOTP.match() method offers a window parameter, expanding the search range to account for the client getting slightly out of sync.

While it’s tempting to be user-friendly, and make this window as large as possible, there is a security downside: Since any token within the window will be treated as valid, the larger you make the window, the more likely it is that an attacker will be able to guess the correct token by random luck.

Because of this, it’s critical for applications implementing OTP to rate-limit the number of attempts on an account, since an unlimited number of attempts guarantees an attacker will be able to guess any given token.

The Gory Details

For TOTP, the formula is odds = guesses * (1 + 2 * window / period) / 10**digits; where window in this case is the TOTP.match() window (measured in seconds), and period is the number of seconds before the token is rotated.

This formula can be inverted to give the maximum window we want to allow for a given configuration, rate limit, and desired odds: max_window = floor((odds * 10**digits / guesses - 1) * period / 2).

For example (assuming TOTP with 7 digits and 30 second period), if you want an attacker’s odds to be no better than 1 in 10000, and plan to lock an account after 4 failed attempts – the maximum window you should use would be floor((1/10000 * 10**6 / 4 - 1) * 30 / 2) or 360 seconds.