Maybe I'm irrational, but it's one of the things that makes me real hesitant about where I deploy TOTP. Sometimes my cellphones randomly have a wildly wrong time -- a misbehaving (or malicious) cell-tower perhaps? And sometimes my computer gets the wrong time too -- e.g. booting between Windows and Linux screwing up the system timezone setting, or ntp failing to start properly, or when I busted up my CMOS. And I have to wonder, how secure is ntp from someone just spamming a system with the wrong times which can block me out?
I'd almost rather a combined thing where it's HOTP but it also rotates once per day like at midnight? Does anything do that, or does it even make sense? Is there a reasonable alternative -- challenge-response maybe?
> Sometimes my cellphones randomly have a wildly wrong time -- a misbehaving (or malicious) cell-tower perhaps?
If you experience that often, I would probably disable the setting to automatically set time from the network.
> booting between Windows and Linux screwing up the system timezone setting
That’s easily fixable with one registry change (RealTimeIsUniversal). You can also tell Linux to use the local time, but Linux will be less happy about that than Windows (Linux won’t write to the real-time clock automatically, for example).
The Linux/Windows timezone issue can be fixed with a registry setting [1]
If for some reason your time is off (e.g. after 3 failed attempts), it's easily detectable and fixable. Just browse to time.is [2], and your time is off, and set it manually if needed.
Because there's an increased dependency on accurate time, bad network time is now quite a rare occurrence in my experience. I haven't seen it happen in the last 3 years.
Once you point NTP to a trustworthy service (e.g. time.google.com [3] or time.cloudflare.com [4]), you won't have any issues.
The Google time server offers leap smear [5], and the Cloudflare one offers NTS (authenticated NTP).
It's one thing to lock yourself out of your application or admin interface when NTP breaks. It's another thing entirely to lock yourself out of recovering the server entirely when clock skew inevitably hits you.
If you really want 2FA for SSH, use something like Yubikeys that increment a counter and generate tokens based on that counter. And use it during the actual authentication session, not for figuring out which magic port the server will be listening on. You never have to worry about synchronized clocks, just a database tracking the highest counter value ever seen, so that previous values can't be reused.
