I was curious as how this code is generated? Is it generated by the app or server? What is the TTL?
I was logging in to my desktop app and when I entered the code, it didn’t work. So I re-attempted my login. I received a new email with the same code as the previous email. I did this a third time with the same result. The fourth time generated a new code that worked for me.
I think I got an answer to where it is generated. I just tried logging into the browser app and the code was the same from when I logged into my desktop app. It would seem the server generates the code.
If you’re using email as your Bitwarden 2FA method, then the code is generated by the server (and delivered to you by email). There would have to be some delay before a new value of the code is generated, to account for potential delays in delivery of the email.
If you’re using TOTP for 2FA, then the code is generated locally, on your device. These codes change every 30 seconds.
Why wouldn’t it generate a new code on a new request? That is my experience with other platforms.
A different Bitwarden app is expecting a different code.
I would think that makes keeping track of the codes more complicated. If I generate 3 codes in quick succession, but the codes have to remain valid for, say 1 min (to allow for network delays), now the server would have to keep track of three different validation codes, each with their own expiration time. My guess is that the server only keeps track of a single code, to keep things simple; thus, repeated requests would have to produce the same code.
With other services, the old codes are invalidated on the generation of a new one.
Hi @ajkelsey - thanks for the feedback! I’ve passed this along to the team for consideration.