MFA inconsistent with Duo; other authenticators OK

[voyager529]

Describe the bug When Cisco Duo is used to generate TOTP codes for 2FA authentication, it works for a time, then stops. A reboot of the server fixes this for a bit, but it stops after some time (a few hours to a few days).

I would like to use Duo rather than Authy/Aegis/Google because users in this environment use Duo's standard 2FA for logins; having a consistent app is infinitely preferable.

To Reproduce Steps to reproduce the behavior:

1. Set up a Defguard server with the one-line script + dependencies (EXACT procedure I followed: https://pastebin.com/KmwXQBdC)
2. Create a user account, enable TOTP-2fa, and have user create a third party account with Duo to generate codes.
3. Wait a day or two.
4. Receive frantic call from user that Duo doesn't work.

Expected behavior Duo's codes should be valid

Version information

• Defguard Core version: v0.10.0 (assuming latest release; did a docker compose up -d --force-recreate --no-deps --build during troubleshooting)
• Defguard Gateway version: v0.6.2 (assuming latest)
  • Operating system and version running the gateway: Debian 12
• Your browser and version: any

Additional context Troubleshooting steps already tried:

1.) reboot VM. Again, this works for some time, but issue is inconsistent. 2.) verified time on VM. Always within 2 seconds of ntp query of pool.ntp.org. 3.) added this line to .env file: DEFGUARD_MFA_CODE_TIMEOUT=1800000 . Documentation was unclear on this; I tried both this number and '180s' for time format, then ran 'docker compose' line above to force a rebuild with the environment variable.

Unlike other TOTP generators, Duo always starts at 30s on open, which can cause issues with timing. I'm fine with 180s or even 240s TTLs on the codes, but it's not clear as to how to check that the timeout variable has been acknowledged by the stack and that the last 3-5 TOTP codes are deemed valid for that duration.