How can it work with a single equality comparison?

[kajacx]

Hello, I am just looking at how TOTP works, and I'm not sure if I understand it. In your example, you are doing if ($user_submitted_key !== $key), but how can that work? Let's say a different code is generated each minute. If the client generated the code at 1:59 and the server checks it at 2:01, the check will fail, even when the "time to enter" was just two seconds!

There is no way to properly check it with a single comparison (as I understand it) without the risk of the user being "unlucky" and hitting the code change moment. The way it should work is that the server should check for the current code as well as the previous one, that way the generated password is valid for it's time interval and the next one, guaranteeing that the code will be valid for at least one (and at most two) intervals.

Am I missing something?